An improper neutralization of input in dkukral's Attach Gallery Posts plugin allows reflected cross-site scripting. The flaw occurs when user-supplied data is placed in a web page without adequate sanitization, enabling an attacker to inject malicious scripts that will execute in the victim’s browser. This can lead to theft of authentication cookies, identity impersonation, or phishing attacks against site users. The vulnerability is a classic input validation weakness, classified as CWE‑79.

The plugin Attach Gallery Posts for WordPress is affected in all releases from the initial version up to and including 1.6. Administrators should identify whether site owners deploy any of these versions and note that the plugin author dkukral is the only vendor listed. No other components are affected.

The CVSS score of 7.1 indicates high impact, while the EPSS of less than 1% suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. The likely attack vector is a crafted request containing malicious payloads that the plugin reflects back into a dynamically generated page, typically via URL parameters or form inputs. While a successful exploit requires user interaction such as visiting a malicious link, it can be amplified by social engineering or compromised sites.