Improper neutralization of user input in the kiroro Formatted post plugin leads to a reflected XSS vulnerability that allows attackers to inject malicious scripts into a page that is then rendered by legitimate visitors. The flaw permits arbitrary JavaScript execution within the context of the site, which can be used to hijack sessions, deface content, or execute further attacks against users. This weakness is classified under CWE‑79 and does not grant direct access to the server or database but can compromise user credentials and confidentiality when the victim interacts with the infected page.

The flaw affects the WordPress plugin Formatted post, produced by the vendor kiroro, in all releases up to and including version 1.01. Any WordPress installation that has this plugin installed with a version ≤1.01 is potentially vulnerable. No later major releases are documented as affected.

The CVSS base score of 7.1 indicates a moderate to high severity for this vulnerability. The EPSS score of <1% suggests a low but non‑zero probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers would most likely exploit the flaw by delivering a crafted URL or form input that includes malicious JavaScript, which is then executed in the victim’s browser when they visit the affected page. Because the vulnerability is reflected, the attacker does not need any user interaction beyond normal browsing to trigger exploitation.