The Sale with Razorpay plugin for WordPress contains an improper neutralization of input during web page generation, allowing attackers to inject malicious scripts that are reflected back to the victim’s browser. This reflected cross‑site scripting flaw (CWE‑79) lets an attacker execute arbitrary JavaScript in the context of any user who visits a crafted URL, potentially compromising session cookies, defacing web pages, and facilitating phishing or credential theft.

The vulnerability affects the WordPress plugin Sale with Razorpay (Brainvireinfo) for versions up to and including 1.0. Any WordPress installation that has this plugin enabled and is running a version ≤ 1.0 is at risk.

The CVSS base score of 7.1 indicates a medium‑to‑high severity vulnerability; the EPSS score of less than 1% suggests the likelihood of exploitation is currently low, and the issue is not listed in the CISA KEV catalog. The attack vector is most likely a reflected request, as the flaw is triggered when the plugin processes user‑supplied data that is echoed in the generated page. If an attacker can lure a target user to a malicious link, they can run malicious code in the user’s browser and potentially steal sensitive information or hijack the session.