Improper handling of user‑supplied data in the Photo Video Store plugin allows a reflected XSS vulnerability, identified as CWE‑79. The flaw injects unsanitized input into generated web pages, enabling an attacker to execute arbitrary JavaScript in the browser of any user who visits the maliciously crafted URL. This can result in session hijacking, defacement, data theft, or the delivery of malware to the victim’s machine.

The vulnerability affects the cmsaccount Photo Video Store WordPress plugin on all installations running the version series from the earliest release through any release equal to or older than 21.07. No specific patch version is listed in the provided data, but the issue applies to every instance of the plugin before the fix was released.

The CVSS score of 7.1 indicates a moderate‑to‑high severity for the affected plugin. The EPSS score of less than 1% suggests a low probability of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to embed the malicious data in a URL or form that a victim’s browser will load; typical targets include site administrators or visitors who are tricked into clicking a link or submitting a form exposed by the plugin. Because the flaw only impacts the client side, it does not grant direct server‑side access, but it does enable several damaging attack possibilities if an attacker succeeds in redirecting users to the vulnerable page.