The WP Social Broadcast plugin contains a reflected cross‑site scripting flaw caused by insufficient input sanitization. This weakness (CWE‑79) allows an attacker to inject malicious JavaScript through user‑controlled data that the plugin reflects back to a browser. If exploited, the injected script could hijack user sessions, execute arbitrary actions, deface the site, or steal sensitive information. The CVSS score of 7.1 indicates a medium‑high risk to confidentiality, integrity, and availability of site visitors.

Any WordPress installation that has the WP Social Broadcast plugin installed with a version equal to or earlier than 1.0.0 is affected. The flaw exists from a pre‑release state through 1.0.0; no other products or vendors are listed in the CNA data. Sites using this plugin should verify the plugin version to determine if an update is needed.

The likely attack vector is an unauthenticated remote attacker who can craft a URL or supply malicious input that is reflected in the browser. The EPSS score of less than 1% indicates a low probability of active exploitation in the wild, and the issue is not currently listed in CISA's KEV catalog. Nevertheless, because the CVSS score is 7.1, the attack could cause significant client‑side compromise if the plugin is visible to users. Prompt mitigation is recommended.