An improper neutralization of user‑supplied data during page generation in the Nepali Date Converter plugin allows attackers to store malicious scripts. The vulnerability is a stored XSS flaw that can enable attackers to execute arbitrary JavaScript in the browsers of anyone who views the compromised content, potentially leading to session hijacking, phishing, or defacement. This weakness falls under CWE‑79 and does not directly grant privileges beyond the web user’s context, but it can subvert user trust and damage brand integrity.

WordPress sites that have installed the AddonsPress Nepali Date Converter plugin version 2.0.8 or older are impacted. The plugin is distributed by AddonsPress and is intended for WordPress themes and plugins that require Nepali calendar functionality.

The CVSS score of 6.5 indicates a medium severity, but the EPSS score of less than 1% suggests that the probability of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be through legitimate plugin input mechanisms where an attacker can submit payloads that are stored and later rendered in the site’s front‑end. Successful exploitation would require the attacker to have write access to the plugin’s input fields or to supply crafted content that is later displayed to site visitors.