An improper neutralization of input during web page generation allows stored cross‑site scripting. The flaw permits an attacker to inject malicious script that is later rendered to any user who views pages containing the stored content, potentially leading to session hijacking, defacement, or phishing. The weakness is a classic input validation flaw that compromises confidentiality, integrity, and availability of the affected WordPress site.

The vulnerability affects the flomei Simple‑Audioplayer WordPress plugin versions up to and including 1.1. Users running any of these releases should verify the plugin version and apply the vendor update. No other WordPress components are directly impacted according to the CNA data.

The CVSS base score of 6.5 indicates a moderate severity risk. The EPSS score is reported as less than 1 %, suggesting low exploitation probability at present, and the vulnerability is not listed in the CISA KEV catalogue. The likely attack vector involves any interface that accepts user‑supplied content and stores it for later display; an attacker could exploit this by inserting JavaScript through plugin settings or metadata. Since the vulnerability is stored XSS, it requires persistence of the input, but relative to other exposure types, the requisite privileges are relatively low, making it a non‑zero‑day threat that deserves timely patching.