The WP Azure offload plugin for WordPress has an improper neutralization vulnerability that permits attacker‑supplied input to be reflected in the browser without adequate escaping. An attacker can inject malicious scripts into the generated web page, potentially hijacking user sessions or defacing content. This is a CWE‑79 Cross‑Site Scripting flaw, allowing execution of arbitrary script in the context of a victim’s browser, impacting confidentiality, integrity and availability of the user data and the web application.

Affected are installations of the WP Azure offload plugin from the vendor promact, any WordPress site running plugin version 2.0 or earlier. The issue exists across the entire plugin version range that was released up to version 2.0, as explicitly enumerated in the advisory.

Because this is a reflected XSS flaw, the attack vector is likely remote and requires the victim to visit a crafted URL or click a malicious link; the vulnerability does not require authentication. The CVSS score of 7.1 indicates a high impact in the medium‑to‑high severity range. The EPSS score of less than 1% suggests a low probability that this flaw has been actively exploited in the wild at the time of analysis, and its absence from the CISA KEV catalog supports this inference. Nevertheless, a reflected XSS can compromise exposed user sessions or deface a site, so the risk remains significant for exposed websites.