The melascrivi WordPress plugin contains an Improper Neutralization of Input During Web Page Generation flaw, enabling an attacker to inject malicious script code that is reflected back to the user through the web page. If an attacker supplies specially crafted input (for example, a URL parameter) that the plugin does not sanitize or encode, the script will execute in the victim’s browser whenever the vulnerable page is loaded. This can lead to session hijacking, credential theft, or defacement, compromising the confidentiality and integrity of site data for users who view the page.

WordPress sites running the melascrivi plugin version 1.4 or earlier are affected. The vulnerability is present in all releases from the earliest documented version up to and including 1.4.

The CVSS score of 7.1 indicates a high‑severity vulnerability, yet the EPSS score of less than 1% suggests that successful exploitation is currently unlikely in the wild. The flaw is not listed in the CISA KEV catalog, so no widely known exploits have been reported. The most probable attack vector is through a crafted request that includes malicious payload input; the vulnerability requires that the victim view the reflected data in a browser for the script to run. Defenders should be aware that the issue remains exploitable as long as users are prompted to load content from the plugin without proper output encoding.