The WordPress Tag Cloud Plugin – Tag Groups version 2.0.4 and earlier contains a reflected cross‑site scripting flaw that arises from improper neutralization of user input when generating a page. This bug allows an attacker to inject malicious JavaScript that executes in the browser of anyone who views the affected page. Consequently, attackers can steal session cookies, deface the site, or perform other client‑side attacks. The weakness stems from CWE‑79, improper handling of untrusted input. Based on the description, it is inferred that attackers would exploit this vulnerability by sending a crafted link containing unsanitized input.

Affected users are those who have installed the plug‑in Steve Burge WordPress Tag Cloud Plugin – Tag Groups through any release date up to and including 2.0.4. The vulnerability exists on all WordPress installations that use this plug‑in and do not apply an update beyond that version.

The CVSS base score is 7.1, indicating a high impact potential when an attacker succeeds. The EPSS score is less than 1 %, implying a low estimated exploitation probability. The flaw is not listed in the CISA KEV catalogue. Attackers would typically craft a malicious link that exploits the unencoded parameter; because the payload is executed in the victim’s browser, a user must interact with the link for the attack to trigger. Based on the description, the likely attack vector is a crafted URL or form that includes unsanitized input, causing the malicious payload to execute when a user views the affected page. Overall, the risk remains moderate but should be addressed promptly.