Improper neutralization of input during web page generation allows an attacker to inject malicious scripts into the output of the custom‑post‑edit plugin. The reflected XSS flaw lets an attacker execute arbitrary JavaScript in the context of a victim’s browser, potentially stealing credentials, defacing the page, or facilitating phishing attacks. The vulnerability stems from missing input sanitization and is classified as CWE‑79.

Any WordPress site that has installed Christopher Churchill’s custom‑post‑edit plugin version 1.0.4 or earlier is vulnerable. The flaw resides in the front‑end‑post‑edit component, so any user who can access the front‑end editing interface is at risk.

The CVSS score of 7.1 reflects significant potential impact for users’ browsers, while the EPSS score of <1% indicates a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, suggesting it has not yet been reported in a known exploited context. Based on the description, the likely attack vector is a crafted HTTP request to the plugin’s front‑end endpoint that includes malicious script payloads. Successful exploitation requires the attacker to lure a victim into visiting the malicious URL; once accessed, the injected code runs with the victim’s browser privileges.