The vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are reflected back to the user’s browser. This reflected cross‑site scripting flaw can lead to session hijacking, credential theft, or delivery of malware, and it is considered a violation of user confidentiality and integrity.

The problem is present in the WordPress Staging CDN plugin for WordPress sites, specifically affecting all releases up to and including version 1.0.0. The plugin, developed by Ronan Mockett, is commonly deployed to provide staging and CDN functionality within WordPress installations.

The CVSS score of 7.1 indicates a high severity and the EPSS score of less than 1 % suggests a low probability of current exploitation. The flaw is not listed in the CISA KEV catalog, but attackers can still trigger the XSS by crafting a URL that includes malicious script fragments and directing victims to it. Because the script is reflected directly in the response, any user who clicks the URL or inadvertently visits it with an active browser can be compromised. The attack vector is inferred to be remote via an HTTP request to a vulnerable endpoint of the plugin.