Stored XSS occurs when the plugin fails to neutralise user‑supplied input that is later rendered in the page. The result is that an attacker can inject malicious scripts that will run in visitors’ browsers, potentially hijacking sessions or conducting phishing attacks. This weakness is identified as CWE‑79 and yields an impact on confidentiality, integrity, and availability of the affected website.

The issue affects the magicoders ACF Recent Posts Widget plugin for WordPress, specifically versions up to and including 5.9.3. Any installation that uses the widget without upgrading or disabling it is vulnerable, regardless of other theme or plugin configurations.

The CVSS score of 6.5 represents a moderate severity, while the EPSS score of less than 1% indicates a very low probability of exploitation as of the current data. The vulnerability is listed as not in the CISA KEV catalog, meaning no publicly known large‑scale exploits are reported. Attackers could target the site by creating or editing widget content that includes malicious payloads; however, they would need either access to the WordPress admin interface or the ability to insert content via other vulnerable plugins, which limits the immediate risk to configurations that allow unauthenticated content creation. Based on the nature of the vulnerability, it is inferred that the requirement for admin access is not explicitly stated but likely necessary.