The yCyclista plugin for WordPress improperly neutralizes user input during web page generation, enabling a reflected cross‑site scripting vulnerability. An attacker can inject malicious JavaScript into a page that is presented to unsuspecting users, potentially leading to session hijacking, credential theft, defacement, or the delivery of additional malware. This weakness stems from insufficient input validation (CWE‑79) and directly compromises the confidentiality and integrity of the affected web application.

All installations of the yCyclista plugin version 1.2.3 or earlier are affected. The plugin is distributed by yonisink and is commonly used in WordPress deployments to add hunting‑related features. Users of the plugin must verify their version and determine if an upgrade path is available.

The CVSS score of 7.1 reflects a high impact vulnerability with medium exploitation complexity. The EPSS score of <1% indicates that active exploitation is currently rare, and the flaw is not yet listed in the CISA KEV catalog. The attack vector is a reflected XSS scenario: an attacker can craft a URL or input form that includes malicious payloads that are reflected into the page output, allowing the script to execute in the context of any user who visits the URL. The vulnerability is exploitable only when the target website includes the vulnerable plugin; otherwise, no attack is possible.