The vulnerability is an improper neutralization of user input during web page generation in the Post And Page Reactions plugin, which allows a reflected cross‑site scripting (XSS) injection. An attacker can embed malicious JavaScript that is echoed back in the HTTP response. If a victim clicks a crafted link or visits a malicious page, the script runs in the victim’s browser, potentially compromising session credentials, defacing content, or executing arbitrary actions as the user. This weakness is identified as CWE‑79.

Affected installations are WordPress sites running the arete‑it Post And Page Reactions plugin version 1.0.5 or earlier. Any site that has not updated the plugin to a later version is vulnerable. The weakness resides entirely in the plugin code and impacts all user roles that can view the affected pages.

The CVSS score of 7.1 indicates a medium‑to‑high severity with a low EPSS of less than 1% and the vulnerability is not listed in CISA KEV. Exploitation would typically involve an attacker crafting a URL with malicious payloads that are reflected in the browser, requiring the victim to click the link or visit a page containing the payload. The risk is moderate, with potential for client‑side compromise but no direct server compromise. Prompt remediation is recommended.