An improper handling of user input in the MACME plugin allows arbitrary script code to be reflected back to the user in a web page, creating an XSS vulnerability (CWE‑79). The flaw permits an attacker to craft a URL containing malicious script which, when opened by a victim, runs in the victim’s browser context. This can lead to session hijacking, cookie theft, defacement or the execution of further attacks within the user’s session. The CVSS base score of 7.1 highlights that the XSS can be used for significant impact while requiring only user interaction.

The MACME WordPress plugin from vendor xdxdVSxdxd is vulnerable in all copies whose version number is 1.2 or earlier. No specific earlier versions are listed, so every release up to and including 1.2 is affected. The plugin is identified by the vendor name and product title.

The EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation in the wild, while the vulnerability is not currently included in CISA’s KEV catalog. Exploitation requires an attacker to entice a user to click a malicious link that contains a payload targeting the plugin’s reflected input handling. Because the flaw resides entirely on the client side, an attacker can execute it from any location; however, successful exploitation still depends on the victim’s interaction with the crafted URL. The moderate severity score reflects that, once executed, the attacker gains the user’s browser privileges, which can be leveraged for further attacks.