The vulnerability is an improper neutralization of user input that results in stored XSS in the ATP Call Now WordPress plugin. The plugin accepts user‑supplied data, stores it without proper escaping, and later renders that data in web pages. An attacker can store malicious JavaScript that will run in the browsers of any visitor to the affected pages, enabling actions such as session hijacking, defacement, or credential theft. The weakness is clearly a Cross‑Site Scripting flaw and is classified as CWE‑79.

The affected product is the WordPress ATP Call Now plugin from Truong Thanh. All versions up to and including 1.0.3 are vulnerable. The attack scenario involves any WordPress site that has this plugin installed and has not been updated to a version above 1.0.3. No other components of WordPress are directly implicated by this issue.

The CVSS score is 5.9, indicating a moderate severity. The EPSS score of less than 1 % suggests that the probability of current exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. However, stored XSS can be highly damaging if an attacker succeeds, especially on multi‑user sites. The attack vector is web‑based and requires the ingestion of malicious input through the plugin’s data‑removal or submission interface, with the malicious payload executing when any user loads a page that renders the stored data. The risk is moderate, but organizations should treat it as a potential threat if the plugin is in use.