The Awesome Hooks plugin for WordPress implements user‑supplied parameters directly in webpage output without proper sanitization, which creates a reflected cross‑site scripting flaw. Attackers can embed malicious script content in a request that is subsequently rendered by the plugin, causing the script to run in the context of any user who views the affected page. This can allow execution of arbitrary JavaScript in the victim’s browser, potentially compromising the confidentiality and integrity of data accessible to that user.

WordPress sites that have installed the Awesome Hooks plugin version 1.0.1 or earlier are affected. The vulnerability spans all releases from the first build up to and including 1.0.1, meaning any site that has not upgraded past that threshold remains vulnerable.

The CVSS v3.1 score of 7.1 indicates a moderate to high severity. The EPSS score of less than 1% denotes a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could exploit the flaw by embedding malicious input in a URL that the plugin echoes, luring a user to visit it. The exploit requires no special privileges and can affect any authenticated or unauthenticated user who views the affected page.