An improper neutralization of input during web page generation in the SC Simple Zazzle WordPress plugin allows attackers to inject arbitrary JavaScript that is reflected back to the victim’s browser. This reflected XSS flaw is classified as CWE‑79 and can enable an attacker to execute code in the context of a logged‑in user, potentially stealing session cookies, hijacking user sessions, defacing sites or injecting additional malicious payloads.

The vulnerability affects the SC Simple Zazzle plugin developed by sayoko for WordPress, with all releases from the earliest available through version 1.1.6 being susceptible. No other vendors or products are mentioned as affected.

The CVSS score of 7.1 places the issue in the high‑severity range, indicating that successful exploitation could severely affect confidentiality, integrity, or availability of the user session. The EPSS score of less than 1 % points to a low probability of current exploitation, though not zero. The flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a reflected XSS that requires a victim to visit a crafted URL or submit data that the plugin incorrectly echoes. An attacker must supply the malicious input, which is then reflected in the page output, enabling script execution in the victim’s browser. The vulnerability does not appear to have any special network‑level prerequisites beyond web traffic to the affected plugin.