The flaw is an instance of improper neutralization of input during web page generation, allowing an attacker to embed arbitrary script content in a page that is reflected back to the user. The vulnerability is classified as Cross‑Site Scripting (CWE‑79) and can be exploited when a user follows a crafted URL containing malicious code. Successful exploitation could lead to session hijacking, theft of user data granted to the vulnerable user, or the execution of additional malicious actions in the user’s browser context. The impact is limited to the affected user’s environment and does not provide direct system‑wide code execution.

The WordPress plugin "wp Hosting Performance Check" developed by Scott Farrell is vulnerable. All versions from the initial release through 2.18.8 are affected. Upgrading to a later release eliminates the flaw.

The CVSS score of 7.1 indicates a moderate severity, and the EPSS value of less than 1% indicates a very low but non‑zero likelihood that this vulnerability will be exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a reflected XSS scenario where a maliciously crafted URL is sent to a user who visits the page, causing the injected script to execute in their browser. The exploitation requires no special privileges and relies solely on user interaction with the vulnerable page.