The Call To Action Popup plugin contains a reflected XSS flaw that allows evaluators to inject JavaScript into the page rendered for the user. The vulnerability stems from improper neutralization of user input in dynamic page content. If successfully exploited, an attacker could run arbitrary scripts in the victim's browser, potentially stealing session cookies, redirecting users to phishing sites, or hijacking user accounts. This directly jeopardizes confidentiality and integrity of user data and may facilitate credential theft or malicious account takeover. The flaw resides in the plugin’s handling of parameters that are reflected back in web page output without adequate escaping. It does not grant code execution on the server or alter server‑side data; the impact is confined to the client side via the victim’s browser. Because the vulnerability is client‑side, it requires a victim to click a crafted link or view a malicious page that includes the exploit. Such attacks can be carried out over the public internet, but the overall risk is tempered by the low likelihood of exploitation as reflected in the EPSS metric.

WordPress users running the lampd Call To Action Popup plugin version 1.0.2 or earlier are affected. The issue is present across all supported versions up to and including 1.0.2. There are no noted exceptions or vendor‑specific mitigations.

The CVSS score of 7.1 indicates high severity, but the EPSS score of less than 1% shows that the probability of exploitation is very low at present. The vulnerability is not listed in the CISA KEV catalog. Attack is likely to occur via crafted URLs or form inputs that include malicious scripts, which are reflected back to the victim’s browser. Successful execution requires the victim to be tricked into loading the malicious input.