The vulnerability is a reflected DOM‑based cross‑site scripting flaw found in multiple WordPress plugins and themes. An unauthenticated attacker can inject malicious scripts through the url parameter, causing arbitrary code to run in the victim’s browser when they are tricked into visiting the crafted link. This flaw is classified as CWE‑79 and has the potential to deface content, steal session cookies, or redirect users to phishing sites.

A large number of WordPress plugins and themes are affected, including Open User Map, Dynamic Copyright Year, Easy Age Verify, Featured Images in RSS for Mailchimp & More, Marijuana Age Verify, WP Post Author – Author Box, Security Ninja, Knowledge Base documentation & wiki plugin – BasePress Docs, Geo Mashup, Custom PHP Settings, Justified Gallery, YASR – Yet Another Star Rating Plugin for WordPress, and many others listed under the Freemius SDK. No specific version ranges are supplied; affected releases are <= 2.10.1.

The CVSS score of 6.1 indicates medium severity, and the lack of EPSS data means current exploit prevalence is unknown. The flaw requires only an active URL in the browser; a potential attacker must persuade a user to click a malicious link. The vulnerability is not listed in CISA’s KEV catalog, but because it can be triggered by unauthenticated users it remains a realistic risk for sites that can be visited by external traffic.