The plugin contains an improper neutralization of input during page generation, resulting in a reflected XSS flaw (CWE‑79). A malicious user can embed arbitrary script into a URL that the plugin echoes back to the browser without sanitization. When a victim opens the URL the script is executed in the victim’s session, potentially allowing the attacker to read cookies, deface the page, or perform other in‑page actions. The impact is limited to the user interacting with the affected URL and does not persist data beyond that request.

All installations of the DeluxeThemes Private Messages for UserPro WordPress plugin with version 4.10.0 or earlier are affected. This includes any WordPress site that has deployed the plugin in its messaging functionality.

The CVSS score of 7.1 indicates a high‑impact vulnerability. The EPSS score of less than 1 % signals a low likelihood of current exploitation, and the flaw is not listed in CISA’s KEV catalog, suggesting no known widespread attacks. It is inferred that the attack requires an attacker to craft a malicious URL and that a target user must subsequently visit that URL for the payload to execute, implying remote exploitation that relies on user interaction.