This vulnerability is an improper neutralization of input during web page generation that enables attackers to inject malicious JavaScript into stored data. The stored cross‑site scripting flaw could allow an attacker to execute code in the browsers of any visitor who views the affected content; it is inferred that such code execution could lead to session cookie theft, account hijacking, or defacement, although these specific consequences are not explicitly described in the official description. The weakness is classified as CWE‑79 and poses risks to confidentiality and integrity, though it does not directly affect availability.

The flaw affects the WordPress plugin Color Your Bar, developed by Darshan Saroya, in versions up through and including 2.0. Any WordPress installation that has this plugin installed and not yet updated to a version later than 2.0 is susceptible.

The CVSS score of 5.9 places the vulnerability in the medium severity range, but the EPSS score being less than 1% indicates a very low probability of existing exploits in the wild. The issue is not listed in the CISA KEV catalog. Exploitation requires that an attacker have knowledge of the plugin's data entry point to store malicious payloads, so the attack vector is likely through an interface that writes content to the database. Once stored, the payload will run in any end‑user browser that renders the affected pages.