Improper neutralization of input during web page generation in the Kumihimo WordPress plugin results in a reflected XSS flaw. When user‑controlled data is echoed back without proper escaping, a malicious script can be injected and executed in the victim’s browser. The vulnerability is limited to the plugin’s handling of unsanitized input; it does not directly grant access to server resources or data. The impact is confined to client‑side code execution, which can undermine user trust and enable other attacks that rely on browser context, though no direct server compromise is indicated.

The Kumihimo plugin distributed by fukushima is vulnerable in all releases up to and including version 1.0.2. Any WordPress site that has one of these versions installed is susceptible to the reflected XSS flaw.

The CVSS score of 7.1 classifies the flaw as high severity, but the EPSS score of less than 1 % indicates a very low current probability of exploitation. It is not listed in CISA’s KEV catalog. The likely attack vector is a remote attacker crafting a URL or sending a request that includes malicious input, based on the description that the plugin reflects unsanitized data back to the page. If triggered, the malicious script would run in the victim’s browser context, potentially leading to session hijacking or defacement, but such outcomes are inferred from the nature of XSS and are not explicitly stated in the CVE data.