The vulnerability lies in the CleanTalk WordPress plugin for versions up to 2.168, where an unauthenticated user can embed arbitrary scripts into a page URL. The plugin stores and later renders this URL without proper sanitization or escaping, causing the injected script to execute in the browsers of any visitor who accesses the affected page. This stored XSS can lead to session hijacking, credential theft, defacement, or malware installation on the client side, reflecting a classic CW-79 weakness.

Any WordPress site that has the Login Security, FireWall, Malware removal by CleanTalk plugin installed in a version up to and including 2.168 is affected. Sites using newer releases or without the plugin are not impacted.

With a CVSS score of 7.2, the flaw is considered high severity, affecting confidentiality, integrity, and availability of the web application. The EPSS score of less than 1% indicates low current exploitation rates, though the vulnerability is recognized in multiple advisories and is not listed in the CISA KEV catalog. Attackers can theoretically exploit the flaw by sending a crafted URL to the target; this is inferred from the description, as the entry does not explicitly detail the attack method. Because no authentication is required and the vulnerability is triggered by a simple request, it can be used in targeted or opportunistic attacks, especially against sites with significant user traffic.