The vulnerability is an instance of Improper Neutralization of Input During Web Page Generation (CWE‑79). When a user supplies malicious input through a form or URL parameter, the Pin Locations on Map plugin echoes that input into the generated page without proper encoding. The attacker’s script then executes in the victim’s browser, enabling theft of session cookies or execution of arbitrary actions on behalf of the victim. The flaw directly impacts confidentiality, integrity, and potentially authentication of the affected WordPress site.

WordPress sites that have the arsh91 Pin Locations on Map plugin installed at any version up through 1.0. These installations process user‑provided data without adequate sanitization, making the entire site vulnerable as far as the plugin’s front‑end components are concerned.

The CVSS score of 7.1 indicates a medium‑to‑high severity vulnerability. The EPSS score is below 1 %, showing that widespread exploitation is currently unlikely, yet the flaw remains actionable. The vulnerability is not listed in the CISA KEV catalog, but its potential to compromise user sessions remains. Attackers would typically craft a URL containing malicious payloads and convince a victim to visit it, thereby exploiting the reflected XSS vector.