The vulnerability is a reflected Cross‑Site Scripting flaw that arises because the Notifications Center plugin fails to neutralize user-supplied input before rendering it in a web page. An attacker can craft a URL containing malicious script. When an unsuspecting user clicks that link, the script is executed in the victim’s browser, enabling the attacker to steal session data, deface the site, or execute other browser‑side attacks. The weakness is formally categorized as CWE‑79.

WordPress sites that run the Notifications Center plugin by Florian Chaillou are affected. The flaw exists in all releases from the very first version through and including 1.5.2, so any installation of the plugin at or below version 1.5.2 is vulnerable.

The CVSS score of 7.1 describes a high severity that threatens confidentiality, integrity, and availability of site data. The EPSS score of less than 1 % indicates a low current likelihood that attackers will exploit the vulnerability, and it is not listed in the CISA KEV catalog. Attackers can reach the flaw remotely by sending a crafted link; the flaw is a reflected XSS, so it requires the victim to actively visit a malicious URL. If exploited successfully, an attacker can hijack user sessions or inject arbitrary content into the authenticated user’s view.