This vulnerability is a stored cross‑site scripting flaw caused by improper neutralization of script‑related HTML tags. An attacker who can submit data that is later rendered by the WordPress Flag Icons plugin can inject JavaScript that will execute in the browsers of any visitor to the site that loads the affected plugin output. As a result, attackers could hijack user sessions, steal sensitive information, or perform click‑jacking or phishing attacks. The weakness is categorized as CWE‑80 and carries a CVSS score of 5.9, indicating a moderate level of severity.

The flaw impacts the WordPress Flag Icons plugin (developed by Vasilis Triantafyllou, Flag Icons) in all releases up to and including version 2.2. WordPress sites that have this plugin installed and are running a vulnerable version are at risk, regardless of the site host or theme. Direct interaction with the plugin’s language‑selector interface or configuration pages can store malicious input that later is displayed to site visitors.

With a CVSS score of 5.9 and an EPSS of less than 1%, the vulnerability is considered moderate but unlikely to be widely targeted in the short term. It is not listed in the CISA KEV catalog. An attacker would need the ability to inject and store data via the plugin’s provided interface or to exploit an existing stored payload. Once stored, the payload executes on every page that loads the plugin’s output, potentially affecting all users who view those pages. Because the flaw persists through user‑generated content, its exploitation circumvents typical WordPress role restrictions if the site allows non‑admin users to alter plugin‑related fields.