The vulnerability allows an attacker to perform a cross‑site request forgery that injects a malicious script into the plugin’s stored data. When a legitimate admin or user views the site, the injected script executes in the victim’s browser. This can lead to defacement, theft of session cookies, or other malicious actions originating from the site. The weakness is identified as a Stored Cross‑Site Scripting flaw (CWE‑352 for the CSRF component).

The issue impacts the Personal Favicon plugin by mangup on WordPress installations. All releases from the initial build up through version 2.0 are vulnerable; no specific sub‑version range is provided. Users should verify the plugin version and plan for an upgrade if it falls within this range.

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a CSRF request crafted by an attacker, which a privileged or authenticated user unknowingly submits. If the attacker can persuade a site administrator or logged‑in user to visit a malicious link, they can store the payload for all visitors. The risk is therefore moderate, provided the site has a mix of administrators and external users who may be exposed to the stored script.