An unauthenticated attacker can exploit the Top Position Google Finance plugin for WordPress through a reflected Cross‑Site Scripting exploit that exploits how the plugin outputs the value of $_SERVER['PHP_SELF'] without proper sanitisation or escaping. The vulnerability allows injection of arbitrary JavaScript code that is sent back to the browser when a victim is tricked into clicking a specially crafted link. This type of flaw can lead to session hijacking, defacement, or the execution of malicious scripts in the context of the authenticated user. The impact is direct compromise of confidentiality, integrity, and availability of the web application for users who interact with the injected content.

All installations of the Top Position Google Finance WordPress plugin with a version equal to or less than 0.1.0 are impacted. The plugin is distributed by the vendor "Top Position" under the name "Top Position Google Finance" and is referenced by CPE strings for the WordPress plugin ecosystem.

The CVSS score of 6.1 indicates a medium severity vulnerability, while the EPSS score of less than 1% signals that exploitation in the wild is currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog, further suggesting that public exploitation has not been observed. The attack vector is web‑based: a malicious link that includes crafted query parameters can trick a victim into executing attacker‑supplied JavaScript when the page loads. Successful exploitation requires a user to click the link, but no privileged access or network exploitation is necessary.