The vulnerability is a reflected cross‑site scripting flaw in the WordPress AlT Report plugin caused by improper neutralization of input during web page generation. A malicious request can cause user‑supplied data to be rendered unescaped, allowing the injection of arbitrary scripts that execute in the victim's browser. The official description does not detail specific attack outcomes, but typical reflected XSS can lead to session hijacking, defacement, or redirects; these effects are inferred from general XSS behavior.

The flaw exists in the AlT Report plugin for WordPress, sold by AlTi5 under the module name AlT Report. It affects all releases from the earliest available version through version 1.12.0. Any WordPress site that has the plugin installed at or below that version is vulnerable.

The CVSS score of 7.1 indicates a moderate to high severity for arbitrary script injection. The EPSS value of less than 1 % suggests that exploitation attempts are currently uncommon. The vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation has been reported. The reflected nature of the flaw means it can be triggered just by a crafted URL and does not require authentication or elevated privileges, making the risk appreciable for publicly accessible sites.