The vulnerability in WP Intro.JS WP Intro.JS allows an attacker to inject malicious scripts through unsanitized input that is reflected back to the user. This flaw is a classic Reflected XSS flaw (CWE‑79) and would let an attacker execute arbitrary JavaScript in the victim’s browser, potentially stealing session cookies, logging keystrokes, or defacing the site. The description explicitly states a reflected XSS flaw without additional context, so the impact is confined to the ability to run code in the victim’s context when a crafted URL is opened.

The affected product is the WordPress plugin WP Intro.JS from the vendor cfuze, versions n/a through 1.1 inclusive. The plugin is available through the WordPress plugin repository and may be found on sites using the plugin in any installation of WordPress.

The CVSS score of 7.1 classifies this as a high severity flaw, and the EPSS score of less than 1% indicates a low probability of widespread exploitation at the moment. Because the vulnerability is reflected, legitimate site visitors would need to be tricked into clicking a crafted link that contains the malicious payload. The vulnerability is not listed in the CISA KEV catalog and no publicly disclosed exploits are known as of the latest data.