Improper Neutralization of Input During Web Page Generation is the flaw type the CVE describes; the plugin fails to escape user input when rendering a page, allowing a reflected XSS defect. An attacker can deliver a crafted request that causes the victim’s browser to execute arbitrary JavaScript in the context of the WordPress site. The possible consequences – such as defacement, phishing, or session hijacking – are inferred from the nature of XSS; they are not explicitly listed in the CVE description but are typical for this weakness.

WordPress sites that have the wppluginboxdev Stylish Google Sheet Reader plugin installed in any version up to and including 4.0 are affected. The vulnerability resides solely in the plugin code, so any server platform running WordPress may be impacted if the plugin is present.

The CVSS score of 7.1 places the flaw in the high severity category. The EPSS score of less than 1% indicates that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted URL or form submission that an attacker can share via email, social media, or malicious links; the vulnerability requires no privileged access on the target site, so any visitor to the attacked page could be exposed.