The vulnerability arises from improper neutralization of user‑supplied data during web page generation, which permits reflected XSS. Based on the description, it is inferred that an attacker can embed malicious JavaScript in a crafted URL that, when visited by a victim, will execute in the victim’s browser. This may lead to session hijacking, credential theft, defacement, or other malicious actions, potentially affecting the confidentiality, integrity, and availability of the affected WordPress site for users interacting with the plugin. The weakness is a classic input validation flaw classified as CWE‑79.

NewMediaOne GeoDigs plugin for WordPress, versions up to and including 3.4.1. All releases prior to the arrival of the fix are vulnerable. Users running any of these plugin versions are at risk unless a newer, patched version is installed.

The CVSS score of 7.1 indicates medium severity, while the EPSS score of less than 1 percent suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires the attacker to supply a malicious URL that includes vulnerable data, indicating a reflected XSS attack vector that could be triggered via phishing emails, social engineering, or malicious links posted on third‑party sites. Although the probability is low, the potential impact warrants prompt remediation.