The reported vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject script code that is reflected in the browser. Because the compromised input is echoed back without adequate sanitization, a victim who clicks a crafted link or visits a malicious URL could execute arbitrary JavaScript in the context of their session. The attack compromises the confidentiality of the victim’s session data and could be used to hijack accounts or deface the site, but it does not directly allow remote code execution on the server side.

The flaw exists in the "University Quizzes Online" plugin version 1.4 and earlier for WordPress sites. Any site that has the plugin installed and has not upgraded beyond 1.4 is vulnerable.

The CVSS base score of 7.1 indicates a high severity vulnerability. The EPSS score of < 1% suggests that exploitation is unlikely but possible, and the flaw is not yet listed in CISA KEV. The usual attack path involves a user opening a crafted link that includes forged query parameters; the plugin fails to escape these values before rendering the page. The exploitation requires the victim to be on the same origin as the site, and typically the attacker needs to convince the user to click the malicious link, which is a common social‑engineering vector for reflected XSS.