The vulnerability in the Flexible PDF Coupons plugin arises from improper neutralization of user input during web page generation, resulting in a stored cross‑site scripting flaw. Because the plugin accepts coupon details and displays them without adequate sanitization, an attacker can embed arbitrary JavaScript that will execute when the content is viewed by any user accessing the coupon pages. This flaw permits attackers to steal authentication cookies, deface sites, or perform phishing attacks within the context of the target site, compromising confidentiality and integrity of user sessions.

The affected product is the WordPress plugin Flexible PDF Coupons (wpdesk Flexible PDF Coupons), in all versions prior to 1.10.3. Users running any earlier release are vulnerable.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not listed in CISA KEV. Attackers would need to obtain a page that executes the stored script, typically by having an administrator create or edit a coupon and a victim browsing that page. The flaw does not allow server‑side code execution or file upload, but it does enable client‑side script execution, which can be leveraged for credential theft, session hijacking, or defacement.