The vulnerability is a stored cross‑site scripting flaw that allows an attacker to inject malicious JavaScript code into content that is later rendered for site visitors. By exploiting this weakness, an attacker could steal session cookies, hijack user accounts, or deface the appearance of the site. The flaw originates from improper neutralization of input when the plugin generates web pages, allowing harmful scripts to persist in the database and execute whenever a page that includes the affected content is loaded.

All WordPress sites that have installed the Syed Balkhi AffiliateWP – External Referral Links plugin version 1.2.0 or earlier are affected. The vulnerability targets the plugin’s stored data handling and does not list other WordPress core components.

The CVSS score of 5.9 indicates moderate severity. The EPSS score is reported as < 1%, suggesting a low probability of exploitation at the time of this analysis, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker supplying malicious input to the plugin’s data fields, which then gets stored and later rendered. The description does not explicitly state authentication requirements, so it is inferred that the exploit could be carried out by users with the appropriate access rights to submit data to the plugin.