Rahul Arora WP Last Modified plugin suffers from an improper neutralization of input during web page generation, enabling attackers to inject malicious scripts that are stored in the database and executed in the browser of any user who views the affected page. This classic stored cross‑site scripting flaw is consistent with CWE‑79 and can lead to session hijacking, credential theft, defacement or the execution of arbitrary code in the user’s browser context. The vulnerability is confined to the plugin’s data handling; it does not expose system files or server configuration settings directly.

Any WordPress site installing the WP Last Modified plugin version 0.1 or earlier. No other WordPress components are specifically impacted. The vulnerability applies to all standard installs of the plugin up to and including version 0.1.

The CVSS score of 5.9 indicates moderate risk. The EPSS score of less than 1% suggests low likelihood of exploitation at this time. The vulnerability is not yet listed in the CISA KEV catalog. An attacker would need to supply crafted input that the plugin stores and which is later rendered unsanitized, typically by creating or editing content that the plugin processes. Once stored, any site visitor consumes the malicious content in their browser, making the exploit largely user‑interaction driven but potentially automated if malicious content is widely distributed.