The plugin contains an improper neutralization of user input during web page generation, leading to a reflected XSS vulnerability identified as CWE‑79. An attacker can inject malicious scripts that are echoed back in the page, enabling session hijacking, cookie theft, defacement, or the execution of arbitrary JavaScript in the victim’s browser. The impact is limited to compromised confidentiality and integrity of user sessions rather than direct remote code execution.

The vulnerability affects the ka2 Custom DataBase Tables WordPress plugin for all versions from the earliest available release through 2.1.34. All installations of the plugin under these version ranges are considered vulnerable.

The CVSS score of 7.1 indicates moderate to high severity. EPSS is listed as less than 1%, suggesting a low exploitation probability at the time of analysis, and the issue is not present in the CISA KEV catalogue. The likely attack vector is through the plugin’s parameter handling when user input is reflected in the generated content. Exploitation requires the ability to enter crafted input that is echoed back, which may be achieved via normal user interactions with the site.