The vulnerability allows an attacker to post a malicious script through a CSRF request, resulting in stored XSS that can later execute in the browser of anyone who views the popup content. By delivering code that runs in the context of the affected WordPress site, an attacker can hijack sessions, deface the site, or exfiltrate data. The weakness is a lack of CSRF protection combined with failure to sanitize or escape user‑supplied popup content, categorised as CWE-352.

WordPress sites that have the Milat jQuery Automatic Popup plugin version 1.3.1 or earlier installed are affected. All installations of "Milat jQuery Automatic Popup" that have not been upgraded to a newer release are vulnerable.

With a CVSS score of 7.1 the vulnerability is considered high severity, but the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. Based on the description, it is inferred that the plugin’s endpoint, which is publicly reachable, can be targeted via a crafted URL that an attacker might try to get an administrator to visit; this constitutes the likely attack vector. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been actively abused in the wild.