The vulnerability is an improper neutralization of input during web page generation, allowing attackers to inject malicious scripts that are reflected back to the user in the browser's context. This reflected Cross‑Site Scripting (XSS) flaw can enable the execution of arbitrary JavaScript, leading to session hijacking, defacement, or phishing attacks for any user that visits a crafted URL. The weakness is identified as CWE‑79, indicating a failure to sanitize user input before rendering.

The issue affects the WordPress SexBundle plugin provided by the vendor razvypp. All plugin releases up through version 1.4—including the entire series from the earliest available version to 1.4—are impacted, regardless of the WordPress installation level. No later revisions are known to be vulnerable.

The CVSS score of 7.1 classifies the flaw as high severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not currently listed in the CISA KEV catalog. Attackers can exploit it by delivering a malicious URL or form input that the plugin echoes without proper encoding, a network‑based vector that requires the victim to click or submit the crafted content. Successful exploitation would grant the attacker the privileges of the victim’s browser session, potentially escalating to full compromise of the WordPress site if the victim has administrative access.