This vulnerability is an instance of Improper Neutralization of Input During Web Page Generation, allowing attackers to inject malicious script content that is reflected back to the victim’s browser. The injected script can perform a range of malicious actions including cookie theft, session hijacking, or executing arbitrary client‑side code. The issue is classified as CWE‑79 and carries a CVSS score of 7.1, signifying a moderate–to–high potential for exploitation when properly delivered.

The flaw impacts the WP Ultimate Reviews FREE plugin developed by jtibbles, affecting all installations that use that plugin at any version prior to or equal to 1.0.2. WordPress sites that have this plugin enabled are therefore vulnerable.

The exploit probability is low, with an EPSS score listed as <1% and the vulnerability not yet being tracked in CISA’s KEV catalogue. The likely attack vector is a victim‑side attack in which an attacker crafts a malicious URL containing script payloads that are reflected by the plugin’s review processing logic; the attacker does not need privileged access or authentication to succeed. Due to the client‑side nature of the attack, damage is limited to the victim’s browser but can still lead to credential theft or defacement of the page.