The vulnerability is an improper neutralization of input during web page generation that permits a reflected cross‑site scripting flaw in the Scan External Links plugin for WordPress. A malicious user can inject script payloads into query parameters that the plugin echoes back, enabling any visitor that views the crafted page to have those scripts executed in the context of the site. This can result in credential theft, session hijack or execution of arbitrary code in the victim’s browser. The flaw does not affect the server side directly but undermines client‑side security.

WordPress sites that use the Scan External Links plugin from the vendor anshulsojatia, specifically versions up to and including 1.0. Any installation of the plugin version 1.0 or earlier remains vulnerable.

The CVSS base score of 7.1 indicates a medium‑to‑high severity. The EPSS score is below 1 %, representing a low probability of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is a crafted URL that includes malicious input targeting the plugin’s reflected parameters; an attacker only needs the victim to visit the vulnerable page, making it a straightforward and low‑effort exploitation scenario.