The vulnerability is an improper neutralization of input during web page generation that permits stored cross‑site scripting within the PDPA Consent for Thailand WordPress plugin. This flaw allows an attacker to embed malicious scripts into page content that is stored and subsequently rendered for all site visitors, potentially leading to theft of user credentials, defacement, or injection of additional attacks. The weakness is classified as CWE‑79 and carries a CVSS score of 5.9, indicating a moderate severity.

Any WordPress installation that has the PDPA Consent for Thailand plugin by iamapinan from its earliest release through version 1.1.1 is affected. The plugin is used to manage privacy consent for Thai users, and the flaw exists in all versions listed in the vulnerability scope. Sites that still rely on these versions of the plugin are at risk until the software is updated.

The CVSS score of 5.9 denotes moderate potential damage. The EPSS score of less than 1 % suggests that exploitation is currently rare, and the vulnerability is not included in the CISA KEV catalog. Based on the description, the likely attack vector involves the plugin’s input mechanisms, such as consent form fields or administrative configuration pages, where unsanitized data can be stored and later served to viewers. This inference is drawn from the stored XSS nature of the flaw.