The vulnerability is an improper neutralization of input during web page generation in the CG Button WordPress plugin, classified as a reflected XSS flaw (CWE‑79). When a victim opens a crafted URL containing malicious script, the script is echoed back in the browser without sanitization. An attacker can exploit this to execute arbitrary JavaScript in the context of the site, potentially stealing session cookies, defacing content, or executing further phishing operations. The impact is limited to the victim user whose browser renders the injected code, but because the site may be used by many users, the effect can be widespread.

The affected product is Rhizome Networks’ CG Button (content‑glass‑button) WordPress plugin, versions from the initial release up to and including 1.0.5.6. No later versions were listed as impacted.

The CVSS score of 7.1 indicates a high severity for client‑side attacks. The EPSS score of less than 1% suggests a low overall likelihood of exploitation at present, and the vulnerability is not currently listed in the CISA KEV catalog. The most probable attack vector is a user clicking a malicious link or visiting a crafted URL; no user authentication or elevated privileges are required. Consequently, the risk grows from high impact but low exploit probability towards a higher priority when a site’s public audience is large or the plugin is used to display user‑generated content.