The vulnerability is an improper neutralization of user input during web page generation (CWE‑79) that allows malicious scripts to be injected and executed in a visitor’s browser. When the plugin renders data that originates from a form field or query parameter without sufficient escaping, the reflected payload can run silently in the context of the affected site. The description does not detail specific downstream effects such as credential theft, but execution of arbitrary JavaScript within the user’s session is a direct consequence of the flaw.

The affected product is the Tauhidul Alam Advanced Angular Contact Form plugin for WordPress. All versions from the earliest available through version 1.1.0 are identified as vulnerable; versions beyond 1.1.0 are not listed as affected in the current data.

With a CVSS score of 7.1, the vulnerability is considered high severity. An EPSS score of less than 1% suggests a low likelihood of exploitation in the wild at this time, and it is not included in the CISA KEV catalog, indicating no known widespread exploitation to date. The attack requires no special privileges; an attacker only needs to craft an input (e.g., via a specially constructed URL or form submission) that contains malicious script, which the plugin reflects back to the user’s browser.