The a.ankit ReadMe Creator WordPress plugin contains an improper neutralization of user input during page generation, resulting in a reflected cross‑site scripting (XSS) flaw. When an attacker supplies malicious script payloads in a query parameter or form field that the plugin echoes back into the resulting HTML page, the victim’s browser will execute the payload. The visible consequence is that the attacker can run arbitrary JavaScript in the victim’s context, enabling session hijacking, cookie theft, or defacement of the site from the perspective of users who view the page.

The vulnerability affects the ReadMe Creator plugin version 1.0 and all earlier releases. Sites that have installed this WordPress plugin are at risk when the plugin’s pages process user supplied data without proper escaping.

The CVSS score of 7.1 indicates a high severity impact for the sites that use this plugin. The EPSS score of less than 1% suggests that exploitation is currently unlikely in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Likely attack vectors involve a crafted HTTP request to a plugin‑handled page or form, but the exact exploitation path is inferred from the description rather than explicitly documented.