An attacker who can supply data to the plugin’s input fields can inject malicious scripts that are subsequently rendered in the browser context of any visitor accessing the affected content. The vulnerability is a stored XSS flaw due to improper neutralization of input during web page generation. Consequences could include data compromise or misuse of the site, but specific impacts such as session hijacking or arbitrary code execution are not stated in the CVE and are inferred as typical outcomes of injected scripts.

WordPress sites that have the Penci Pay Writer plugin installed in any version up to and including 1.5 are affected. The vulnerability applies to all releases of the plugin from the earliest available version through 1.5, and the vendor PenciDesign is the sole manufacturer of the affected component.

With a CVSS score of 6.5 the vulnerability is rated as moderate severity. The EPSS score of less than 1 % indicates that exploitation is currently unlikely in the wild, and the flaw is not listed in the CISA KEV catalog. The attack vector is web‑based and requires the ability to submit data to the plugin’s input fields, which is confirmed by the CVE description. The CVE does not specify whether administrative privileges are required; thus, this requirement is uncertain and inferred. While the risk to a particular site depends on user access controls and the volume of user‑supplied content, the existence of a stored XSS flaw inherently elevates the potential impact across any browser that loads the affected content.