The vulnerability arises from improper neutralization of input during web page generation within the Library Instruction Recorder plugin. Attackers can inject arbitrary JavaScript that is reflected back to the user’s browser when the plugin processes user‑supplied data. This flaw can lead to session hijacking, credential theft, or the execution of malicious actions within the victim’s session. The weakness is classified as CWE‑79 and has a CVSS score of 7.1, indicating high potential impact on confidentiality, integrity, and availability.

This flaw affects the Matt Brooks Library Instruction Recorder WordPress plugin in all releases through version 1.1.4. Any WordPress site that has this plugin installed and enabled on an older version is susceptible, regardless of other security controls in place.

The CVSS score of 7.1 indicates a high severity potential. The EPSS score is below 1%, suggesting that exploitation is rare at the moment, and the vulnerability is not listed in the CISA KEV catalog. However, the flaw is a reflected XSS and requires only that an attacker supply input that the plugin outputs unescaped on a web page. The likely attack vector is a crafted HTTP request that submits malicious payload into the plugin’s input fields, which are then reflected in the browser. No special authentication or privilege escalation is required beyond the ability to trigger the plugin’s input handling.