Improper neutralization of input in the Quote me plugin allows a reflected XSS attack. An attacker can craft a malicious URL that contains arbitrary JavaScript code; when a user clicks that link or otherwise views the page, the code executes in the victim’s browser. The resulting impact is local to the victim’s session, potentially enabling session hijacking, credential theft, or defacement of the site. The weakness is an instance of CWE‑79: Improper Neutralization of Input During Web Page Generation.

The vulnerability exists in the WordPress Quote me plugin provided by Quincy Kwende for any WordPress installation that has the plugin version 1.0 or older. The affected version range is "n/a through <= 1.0"; no other WordPress core versions are explicitly mentioned.

The CVSS score of 7.1 classifies this flaw as high severity. The EPSS score of less than 1% indicates the likelihood of exploitation is presently low, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a victim to visit a crafted URL, so the attack surface is limited to users who receive or click that link. Attackers can leverage the reflected XSS vector by embedding malicious JavaScript in a link, form field, or any input that is reflected back by the plugin, thereby executing code in the context of the victim’s session.