This vulnerability arises from improper neutralization of user-supplied data, allowing a crafted request to be reflected unescaped in the generated web page. An attacker could inject malicious scripts that execute in the victim's browser, enabling session hijacking, cookie theft, or the execution of arbitrary client‑side code. The flaw does not involve authentication or privilege escalation; it targets the content rendering of the vulnerable add‑on.

The issue affects the WordPress plugin "Contact Form 7 – CCAvenue Add‑on" developed by Mahesh Bisen. All releases up to and including version 1.0 are impacted. Users running older or up‑to‑date WordPress core with this legacy plugin are potentially exposed.

The CVSS score of 7.1 indicates high severity, while an EPSS of less than 1% suggests a low probability of exploitation at present. The vulnerability has not been listed in CISA’s KEV catalog. It can be triggered by any user who can submit or view a form that passes data through the plugin; the attacker needs only to craft a malicious payload that will be reflected in the response page. Once executed, the payload runs in the context of the victim’s browser, giving the attacker the same privileges as the user. The absence of authentication requirements means the threat is widely accessible, though the likelihood of an attacker finding and exploiting the vector remains low given the current EPSS.