The ClickBank Storefront plugin for WordPress contains an improper neutralization of input during web page generation that allows reflected cross‑site scripting. When an attacker places malicious script payloads in parameters that the plugin does not sanitize, the plugin echoes the payload back to the victim’s browser. This can enable the execution of arbitrary client‑side code, potentially leading to session hijacking, credential theft, defacement, or phishing attacks.

Systems that use the dactum ClickBank Storefront plugin version 1.7 or earlier are vulnerable. No lower version limit is documented, so all releases up to and including 1.7 are affected. The plugin is frequently installed on WordPress sites through the mycbgenie‑clickbank‑storefront extension.

The CVSS score of 7.1 classifies the flaw as high severity, while the EPSS score below 1% indicates a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this flaw remotely by injecting a script into a URL or form that the plugin returns unfiltered; the attack vector is web, remote. The exploitation requires that a victim load the crafted request, which is inferred from the reflected nature of the flaw.