This vulnerability is an improper neutralization of input during web page generation, allowing stored Cross‑Site Scripting (XSS). An attacker who can supply malicious input that is persisted by the Stagtools plugin can cause the script to execute in the browsers of any visitor who loads the affected page, potentially stealing session cookies, defacing content, or facilitating phishing and malware delivery. The weakness is classed as CWE‑79, a typical XSS flaw that compromises confidentiality and integrity for site users.

The affected product is the Ram Ratan Maurya Stagtools WordPress plugin, versions 2.3.8 and earlier. All instances of those versions running on WordPress sites are vulnerable. No other plugins or vendors are listed as affected.

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. Because the vulnerability is not in CISA KEV, there is no indication of known real‑world attacks. The typical exploitation vector is an injected payload submitted through any stored input field of the plugin; the script is then rendered in subsequent page views, making the attack possible in environments where users trust the site. Administrators should prioritize updating the plugin before attackers can leverage the flaw.