The Zarinpal Paid Download WordPress plugin up to version 2.3 contains an improper neutralization of input during page generation that allows reflected cross‑site scripting. By submitting a crafted query string, an attacker can cause the plugin to echo unsanitized data into the HTML response, enabling injection of arbitrary JavaScript that executes in the victim’s browser. A successful exploit can lead to cookie theft, session hijacking, or delivery of additional malicious content. The likely attack vector is a malicious URL that includes unsanitized query parameters, as inferred from the described data handling.

WordPress users running the Masoud Amini Zarinpal Paid Download plugin at any release level from the initial build through version 2.3 are affected. The vulnerable code path exists in every instance of the plugin prior to any version update beyond 2.3.

The CVSS score of 7.1 indicates high severity, yet the EPSS score of less than 1 % signals a low probability of exploitation as of the last assessment. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a victim to visit a page that includes malicious input, which is typically achieved by a phishing link or embedded content, based on the description, this is inferred. Because the impact is confined to the client browser, the threat is primarily client‑side, but sites with many visitors or those that handle sensitive data may experience wide‑scale code execution or credential theft if exploited.