The Kv Compose Email From Dashboard plugin, when installed at version 1.1 or earlier, fails to escape user input that is displayed on the admin dashboard. This improper neutralization of input allows an attacker to inject code that is reflected back into the page and executed by a visiting browser, resulting in client‑side code execution. The vulnerability is a classic cross‑site scripting flaw described as CWE‑79.

WordPress installations that have the kvvaradha Kv Compose Email From Dashboard plugin installed in any release through version 1.1 are affected. The issue is confined to that plugin and does not affect other components of the WordPress core or unrelated plugins.

The CVSS score of 7.1 indicates a moderate to high severity. The EPSS score is reported as less than 1%, which implies a very low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a reflected XSS scenario where an attacker supplies malicious input—most probably via a crafted URL or form field that is displayed by the plugin’s dashboard—and the input is reflected back into the response without proper escaping. Users visiting the affected page, such as administrators or staff with view permissions, could be tricked into loading the malicious payload, causing code to run in their browsers.