The vulnerability arises from improper neutralization of user input in the MX Time Zone Clocks plugin, allowing stored cross‑site scripting. The CVE description specifies that malicious scripts can be stored and later executed in browsers of users who view the affected content. The description does not explicitly state that attackers could hijack sessions, deface the site, or exfiltrate data; such outcomes are common with XSS but are inferred rather than confirmed.

The vulnerability affects the Maksym Marko MX Time Zone Clocks WordPress plugin, specifically all releases up to and including version 5.1.1. Users running these versions are subject to the described risk.

The CVSS score of 6.5 indicates a medium severity, and the EPSS score of less than 1% suggests a low probability of real‑world exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack path is inferred: an attacker who can create or edit plugin input that is stored and rendered (for example, through a configuration form or an admin comment) could insert malicious code; when other users view the affected page, the script executes. The specific privileges required are not detailed in the CVE data, but stored XSS generally needs write access to input fields the plugin processes. While the CVE does not detail consequences beyond stored XSS, typical effects such as session hijack or defacement are inferred.