The Optimize Worldwide Find Content IDs plugin for WordPress contains a reflected cross‑site scripting flaw caused by a lack of input sanitization during page rendering. A malicious user can craft a URL with user‑supplied data that is reflected back without escaping, allowing arbitrary HTML or JavaScript to be injected and executed in the victim’s browser. This execution occurs in the context of the site, giving an attacker the potential to hijack sessions, deface content, or deliver malware to users who visit the crafted link.

All installations of Find Content IDs version 1.0 or earlier are affected. WordPress sites that have installed the plugin without upgrading are therefore vulnerable. No specific WordPress core versions are referenced, so the issue applies to any WordPress environment using the affected plugin.

The CVSS score of 7.1 indicates moderate to high severity, with exploitation possible without authentication. An EPSS score under 1% suggests a low probability of exploitation in the wild at the time of assessment. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the flaw by delivering a specially crafted URL that contains unsanitized input; when a user follows that link, the malicious script is rendered by the browser and executed.