Improper neutralization of user‑supplied input in the Narnoo Operator shortcodes leads to a reflected cross‑site scripting flaw. This allows an attacker to inject and execute arbitrary JavaScript when a victim loads a crafted URL containing the vulnerable parameter. The impact includes the ability to steal session cookies, deface the appearance of the site, or perform unauthorized actions on behalf of the user. The weakness is a classic input validation failure (CWE‑79).

Vulnerable systems are WordPress installations running the Narnoo Operator plugin version 2.0.0 or earlier. The affected plugin, Narnoo: Narnoo Operator, uses shortcodes that fail to escape user input, and any site that has deployed the plugin without a patched release is at risk. The vulnerability persists from the earliest release up to and including 2.0.0.

With a CVSS v3.1 score of 7.1, the flaw is considered moderate‑to‑high severity. The EPSS metric indicates a very low exploitation probability (<1%), and the flaw is not listed in the CISA KEV catalog. Likely exploitation would require a malicious link directed at a trusted user, making social engineering or phishing the primary attack vector. While the risk is reduced by the low EPSS, any user who interacts with the crafted URL can be compromised until the plugin is updated.