The vulnerability is a stored cross‑site scripting flaw in the Nepali Post Date WordPress plugin. Improper input neutralization during web‑page generation allows an attacker to store malicious JavaScript that is later rendered to visitors. When victims view the affected content, the injected script runs in their browsers, enabling session hijacking, defacement, phishing, or other client‑side exploitation. The flaw does not directly expose server‑side code, but it provides a vector for attacks that can compromise confidentiality and integrity of user data on the client side.

Vendor Padam Shankhadev provides the Nepali Post Date plugin for WordPress. All release versions up through 5.1.1 are affected. The flaw exists from the initial release through 5.1.1, as documented by the CNA. Users running older WordPress installations with this plugin are potentially exposed, particularly if the plugin’s content area is publicly accessible.

Based on the description, it is inferred that the attacker needs a way to submit or edit content handled by the plugin. If the plugin accepts unauthenticated submissions, an attacker could inject malicious JavaScript without logging in; otherwise, an attacker would need authorized access to create or modify posts. Once the data is stored, the script executes in the browsers of anyone who views the affected content, providing a client‑side exploitation channel. The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation yet.