The vulnerability is an improper neutralization of input during web page generation (Cross‑Site Scripting). The Hand Talk plugin stores user‑supplied data without adequate escaping, allowing an attacker to inject malicious scripts that execute in the browsers of anyone viewing affected pages. This stored XSS can lead to session hijacking, credential theft, defacement, or the execution of arbitrary client‑side code on the site’s visitors.

Systems running the WordPress Hand Talk plugin version 6.1 or earlier are affected. The plugin, developed by Rodrigo Bastos, is distributed as a WordPress plugin and is typically installed in the wp‑content/plugins/handtalk folder. Any WordPress site that has not upgraded beyond version 6.1 remains vulnerable.

The CVSS base score of 5.9 indicates a moderate severity, and the EPSS score of less than 1% reflects a very low likelihood of exploitation at the time of reporting. Since the vulnerability is stored XSS, the attack vector is likely through a web interface that accepts user input, although the CVE description does not specify the exact entry point. The vulnerability is not listed in the CISA KEV catalog, so there is currently no evidence of active exploitation. Nonetheless, because stored XSS can affect every user who views compromised content, administrators should consider it a significant risk for data theft or disruption.