This flaw allows malicious input to be stored and reflected in generated web pages, enabling attackers to execute arbitrary scripts in users' browsers. The stored XSS is identified by CWE‑79. Based on the description, it is inferred that the attack involves injecting JavaScript that executes when a victim views a page contaminated with the payload, potentially stealing session cookies, defacing the site or redirecting users.

The vulnerability applies to the Pretty file links plugin from the vendor smartredfox, for all releases up to and including version 0.9. Any WordPress site that has this plugin installed and is unaware of the stored XSS vulnerability could be impacted.

The CVSS score of 6.5 places the issue in the medium severity range. The EPSS score of less than 1 percent indicates a very low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector involves an attacker submitting malicious payloads through the plugin’s input interfaces, which are processed and stored for later rendering. The flaw would require an attacker first to supply malicious input to the plugin’s data store, which is likely feasible through any input that the plugin accepts from site administrators or users with privileges. Once stored, the script would run in the browsers of any visitor to the affected page, presenting a risk to confidentiality and integrity of users.