Improper neutralization of input during web page generation leads to a reflected cross‑site scripting vulnerability in the RSVPMaker Volunteer Roles WordPress plugin. The flaw allows an attacker to inject arbitrary JavaScript into pages that echo user‑supplied data. When a victim clicks a maliciously crafted link or visits a URL containing the payload, the script executes in the victim’s browser context, potentially enabling session hijacking, credential theft, or defacement. This is a classic input‑validation weakness identified as CWE‑79 and is classified with a CVSS score of 7.1.

Affected products include the RSVPMaker Volunteer Roles plugin developed by davidfcarr. Versions from the earliest release through and including 1.5.1 are impacted. Site administrators running these plugin versions on any WordPress environment are at risk. No other vendors or products are listed.

The severity rating of 7.1 indicates a high‑risk condition, but the EPSS score of less than 1% suggests that exploitation attempts are currently rare or unlikely to be widespread. The vulnerability is not present in CISA’s KEV catalog. Exploitation is straightforward: an attacker must create a URL containing malicious script and persuade a user to visit it, usually via phishing or social‑engineering tactics. Because the flaw is reflected, it does not require administrative access or local exploitation, making it feasible for non‑privileged attackers to impact unsuspecting site visitors. While the probability is low, the potential impact on confidentiality, integrity, and availability of user sessions warrants prompt attention.