The vulnerability allows an attacker to embed malicious script code into a WordPress site through the xili‑tidy‑tags plugin. Stored cross‑site scripting means the injected code becomes part of the website content and is served to every user who views the affected page. Infected users may have their session cookies stolen, their browser session hijacked, or be redirected to malicious sites, potentially leading to credential theft or phishing attacks. The impact is confined to client‑side exploitation; it does not directly compromise server files or enable arbitrary code execution on the server.

WordPress sites that use the Michel – xiligroup dev xili‑tidy‑tags plugin with a version of 1.12.06 or earlier are affected.

The CVSS score of 6.5 reflects a moderate severity for a stored XSS flaw. EPSS indicates an exploit probability of less than 1%, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is the submission or creation of tags through the plugin’s interface, which usually requires a role that can add tags. Once a malicious tag is stored, all visitors to the affected page will receive the injected script. The exploit path is therefore relatively low‑barrier for compromised or untrusted users but remains limited to sites where the plugin is active.