This vulnerability arises from improper sanitization of user‑supplied data when generating HTML content in the Magical Posts Display plugin. The flaw permits an attacker to inject arbitrary JavaScript into a page that is rendered by a victim’s browser. Because the script executes with the victim’s privileges, it can steal cookies, hijack sessions, deface the site, or redirect users to malicious destinations. The weakness corresponds to CWE‑79 and results in a moderate‑severity risk (CVSS 6.5).

The flaw affects all installations of the Noor Alam Magical Posts Display WordPress plugin from any unspecified initial version up through 1.2.52 inclusive. Any site using this plugin version in a WordPress content‑management environment is potentially vulnerable.

Although the CVSS score indicates a moderate impact, the EPSS score of < 1% suggests that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through user‑generated content or administrative input that is rendered by the plugin. An attacker can embed malicious code that will execute in the browser of anyone who views a page that includes the vulnerable plugin output, making it an easily triggered but client‑side attack that depends on victim interaction.