A cross‑site request forgery flaw (CWE‑352) in the Nepali Date Utilities plugin enables an attacker to submit a crafted request that stores malicious script data in the site. When an affected visitor loads the stored content, the injected script executes in the victim’s browser. The impact is the execution of arbitrary client‑side code, which can lead to malicious content being displayed or further client‑side attacks. The description does not indicate that the script can escape into server‑side code or perform operations beyond the browser context.

The plugin developer, ashokbasnet, released Nepali Date Utilities versions up through 1.0.15 that contain the flaw. All copies of the plugin with those or earlier versions are vulnerable; no fixed release is identified in the provided information.

The CVSS score of 7.1 marks the vulnerability as high severity. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The flaw is most likely exploitable when an attacker can send a malicious POST request to the plugin endpoint that lacks proper CSRF protection, implying that the attacker might need an authenticated session or must otherwise trigger the plugin to store the malicious data.