An improper neutralization of input during web page generation allows stored cross‑site scripting. The plugin accepts user‑controllable content that is saved and later rendered on the site without proper escaping. A malicious actor can embed JavaScript or other executable payloads, causing the script to run in the browsers of anyone who views the affected page. Such payloads can steal session cookies, deface the site, or redirect users to phishing sites. The weakness is classified as CWE‑79.

The issue affects the Prem Tiwari FM Notification Bar plugin for WordPress, regardless of the site’s host or WordPress version, as long as the plugin is installed in any version up to and including 1.0.4. WordPress sites that use the plugin’s content settings, widgets, or shortcode functionality are susceptible until a newer release is deployed. The vulnerability has no version floor; the entire range from the initial release through 1.0.4 is impacted.

The CVSS score of 5.9 indicates a moderate severity. The EPSS score of less than 1 % suggests a low probability of exploitation in the wild, and the vulnerability is not currently listed in CISA’s KEV catalog. The attack vector is inferred to be through the plugin’s interface where content can be entered, stored, and rendered on the site; therefore an attacker with the ability to insert content—such as an admin, contributor, or even a regular visitor if the plugin exposes a front‑end editor—could trigger the stored XSS. Once a payload is stored, any visitor to the affected page will execute it.