faaiq Pretty Url plugin versions through 1.5.4 contain an improper neutralization of input during web page generation that allows an attacker to inject arbitrary HTML or JavaScript code into a page that is subsequently viewed by other users. The flaw, identified as CWE‑79, can lead to session hijacking, credential theft, defacement, or other attacks that compromise confidentiality, integrity and availability of the affected WordPress site. The description explicitly states that it is a reflected XSS issue, but the exact attack vector is not fully detailed; it is inferred that the vulnerability is triggered by forging a URL containing malicious input.

Any WordPress site that has installed the faaiq Pretty Url plugin with a version number of 1.5.4 or earlier. No later versions are currently affected.

The vulnerability has a CVSS score of 7.1, indicating medium‑to‑high severity, and an EPSS score of less than 1 % which suggests low but non‑zero probability of exploitation in the wild. It is not listed in the CISA KEV catalog. Because the flaw is reflected, an attacker must supply a crafted request that includes malicious payloads, typically via a URL. Once the victim clicks the manipulated link, the injected code executes within the victim’s browser context, enabling the attacker to perform client‑side attacks such as cookie theft or further phishing.