The vulnerability is a stored XSS flaw caused by improper neutralization of user input during web page generation. Because the Reactive Mortgage Calculator plugin does not sanitize data before rendering it, malicious scripts can be stored and executed when displayed, so a user who can submit data to the calculator could potentially inject scripts that execute in the browsers of other visitors. Based on the description, it is inferred that such injected scripts could allow attack‑related actions, but the CVE does not specify particular consequences such as session cookie theft or defacement.

The flaw affects the WordPress Reactive Mortgage Calculator plugin published by afzal_du. Versions from unknown start up to and including 1.1 are impacted. All installations of the plugin on WordPress sites that have not upgraded beyond 1.1 are susceptible.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests that exploitation is currently very unlikely. The vulnerability is not listed in the CISA KEV catalog, but its presence in a widely used WordPress plugin means that an active attacker with the opportunity to submit data could still attempt exploitation. The attack vector requires that data be stored in the plugin’s database and later served in a context that does not escape output, so a malicious user who can supply input to the calculator (for example, by creating a loan calculation) can launch the stored XSS.