The GetSocial plugin contains an Improper Neutralization of Input During Web Page Generation vulnerability that allows attackers to inject arbitrary JavaScript into pages rendered by the plugin. When a crafted query parameter or other user‑supplied input is reflected unescaped in the page, an attacker can execute code in the browser of any user who views the affected page. Potential consequences include session hijacking, theft of credentials, and playback of malicious content. The flaw maps to CWE‑79 and is an example of reflected XSS, meaning the attack requires the victim to visit a specially crafted URL, after which the malicious script runs in their browser context.

Any WordPress site running the Riyaz GetSocial plugin version 2.0.1 or earlier is affected. The vulnerability is present across all installations that include the plugin from the initial release up to version 2.0.1. No other WordPress core or plugin components are directly impacted by this flaw.

The CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1% suggests that, as of this assessment, exploitation attempts have been very uncommon. The vulnerability is not listed in the CISA KEV catalog, implying no known large‑scale exploitation. Attackers would typically craft a malicious URL containing the input that triggers the XSS payload and lure unsuspecting users into visiting it. Once executed in the victim’s browser, the code runs with the privileges of that user, potentially compromising account security and data integrity.