The vulnerability is a stored XSS flaw in the Toast Mobile Menu plugin that occurs when user‑supplied menu content is stored and later rendered without proper neutralization. The flaw allows an attacker to inject malicious script that will run in the browsers of any visitor who views the compromised menu, potentially leading to cookie theft, session hijacking, defacement, or the execution of more damaging scripts. The weakness is classified as CWE‑79, an input validation issue that neglects to escape output content or enforce strict HTML sanitization.

The flaw affects all installations of Toast Mobile Menu version 1.0.8 or older. The package is distributed under the Toast Plugins Toast Mobile Menu distribution and is widely used in WordPress sites that employ the Toast Responsive Menu feature. No specific operating‑system or WordPress version is limited beyond the plugin version range.

The CVSS v3.1 score of 7.1 places this vulnerability in the medium‑to‑high severity range. The EPSS score of less than 1% indicates that the likelihood of exploitation is low, but the vulnerability is still exploitable on a wide scale if a site administrator is unaware of the issue. It is not currently listed in the CISA Known Exploited Vulnerabilities catalog, though an attacker could manually craft a stored payload into menu entries. The attack vector would be remote; an attacker only needs the ability to inject arbitrary data into a stored field and the target site must render that data unfiltered.