The FAKTOR VIER F4 Post Tree plugin for WordPress has an improper neutralization of input during web page generation that enables reflected cross-site scripting. An attacker can embed malicious script payloads in user-supplied data that the plugin then injects directly into the rendered page. This flaw allows the attacker to execute arbitrary JavaScript in the browsers of any user who views the affected page, potentially leading to session hijacking, credential theft, defacement, or distribution of malware. The weakness corresponds to CWE-79 and is rated high on the CVSS scale due to the impact on confidentiality, integrity, and availability of user sessions.

The vulnerability affects the F4 Post Tree plugin from the FAKTOR VIER family. All releases from the earliest available version up to and including version 1.1.18 are impacted. WordPress sites that have turned on the plugin and have not applied the latest update are susceptible. No other versions or products are listed as affected by the advisory.

The CVSS score of 7.1 indicates a high severity for this XSS flaw. The EPSS score of less than 1 % suggests that, at the present time, the exploitation probability is low, but its presence in a widely used WordPress plugin makes it a realistic target for opportunistic attackers. The flaw can be triggered remotely by crafting a URL or form input that contains script code, so a visitor to a maliciously crafted link will trigger the vulnerability. The flaw is not listed in CISA's KEV catalog, indicating no known large-scale use at the time of reporting. Nevertheless, the user impact of arbitrary JavaScript execution warrants prompt attention.