The AppReview plugin for WordPress has an improper neutralization of input when generating web pages, leading to a reflected XSS flaw. This vulnerability is a classic output‑encoding issue (CWE‑79) capable of delivering malicious JavaScript to vulnerable users. An attacker who can craft a URL or form submission that the plugin reflects directly in the page output can run arbitrary scripts in the victim’s browser, potentially hijacking sessions, defacing sites, or phoning home to the attacker. The flaw is not a privilege escalation limitation; it merely requires that the victim visits a crafted request served by the vulnerable plugin.

WordPress sites that use the podspod AppReview plugin version 0.2.9 or earlier are affected. The vulnerability exists across all releases that fall within the n/a through <= 0.2.9 range defined by the vendor.

The CVSS score of 7.1 indicates a high severity Attack Vector of Network, with confidentiality, integrity, and availability impacted at a moderate level. The EPSS score is less than 1 % and the vulnerability is not currently listed in the CISA KEV catalog, suggesting low current exploitation probability, but the potential impact should not be underestimated. An attacker can exploit this flaw remotely by delivering a crafted request to users who view pages containing AppReview output. The attack requires only that the victim clicks the malicious URL or otherwise submits a malicious request to the plugin, which is commonly feasible through phishing or embedded links.