The vulnerability in File Manager Pro up to version 1.8.8 permits a stored XSS flaw where unsanitized data entered through the plugin is rendered in a web page without proper escaping. An attacker who can supply crafted input will be able to inject arbitrary JavaScript that will execute in the browsers of users who view the affected content. This can lead to theft of session cookies, phishing, or other client‑side attacks, compromising the confidentiality and integrity of the site’s users. The CVSS base score of 5.9 indicates a moderate severity with potential user‑impact only when the vulnerability is accessed through the web interface.

The flaw is present in all releases of Ninja Team File Manager Pro up to and including 1.8.8. Sites running WordPress with this plugin version are directly affected; the impact is confined to the installation that hosts the vulnerable plugin.

The CVSS score of 5.9 reflects a moderate risk. The EPSS score of less than 1 % indicates a very low but non‑zero likelihood that the vulnerability will be actively exploited at the time of analysis, and the issue is not listed in the CISA KEV catalog. Exploitation would require an attacker to insert malicious input that the plugin stores and subsequently renders in a page view, implying the attack vector is client‑side through application input rather than remote code execution on the server. The risk is therefore primarily to end users who interact with the stored data via the plugin.