The vulnerability is a stored cross‑site scripting flaw caused by improper neutralization of user input when generating web page content. Malicious code entered through the plugin’s email‑sending interface is stored and rendered to every visitor's browser. The impact can include defacement, theft of credentials, or other client‑side attacks. The likely attack vector is an attacker with write access to the plugin’s interface, inferred from the need to inject data that is then persisted. This inference is not directly stated in the CVE description, but follows from the stored nature of the flaw.

All WordPress installations that use the Paolo Melchiorre Send E‑mail plugin at version 1.3 or earlier are affected. The flaw resides exclusively in the plugin code, so any WordPress site regardless of operating system, PHP version, or other plugins is vulnerable if the plugin is present.

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1 % indicates a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker would likely exploit this via a user account that can submit data to the plugin’s email‑sending form, injecting malicious JavaScript that is then stored in the plugin database and later rendered to site visitors. This path requires the attacker to have write access but does not require administrative privileges or direct code modifications.