The vulnerability arises from improper neutralization of input during web page generation in the WP Contest plugin, leading to a reflected XSS flaw. An attacker can supply specially crafted query parameters that are displayed without sanitization, allowing execution of arbitrary JavaScript in the context of any user viewing the reflected response. This could result in theft of credentials, session hijacking, defacement of content or initiation of additional attacks. The weakness is classified as CWE‑79. The impact is confined to the web application layer and is limited to the users who receive the reflected content, but the compromise of a single user can lead to broader exploitation if credential or session information is compromised.

The flaw affects the WordPress plugin ‘WP Contest’ developed by Sophia M Williams. All installations of the plugin with versions up to and including 1.0.0 are vulnerable. No specific operating system or host details are provided beyond the WordPress environment.

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog, which suggests limited observed exploitation. The likely attack vector is a direct web request to the vulnerable endpoint with crafted parameters, which requires the victim to visit a URL generated by an attacker. The attack does not require authentication or privileged access, but it depends on the attacker being able to supply the input and the victim viewing the reflected content.