The vulnerability is an improper neutralization of input during web page generation, which allows an attacker to craft a URL or input that contains malicious script. When a visitor accesses the vulnerable page, the script executes in the browser, potentially letting the attacker steal session cookies, deface the site, or execute further client‑side attacks. This XSS flaw therefore grants attackers the ability to compromise the confidentiality and integrity of user data on all affected sites.

The affected systems are WordPress installations that use the Think201 Data Dash plugin. All versions of this plugin from its initial release through version 1.2.3 inclusive are vulnerable to the reflected XSS flaw. Administrators should verify which version is in use and plan an upgrade or removal accordingly.

The CVSS score of 7.1 classifies the issue as high severity. Because the EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV catalog, the probability of public exploitation is currently low. Nonetheless, the attack vector is remote; an attacker needs only to embed a crafted link or script in a page viewed by a user. A susceptible visitor’s browser will execute the attacker‑supplied code, providing the threat actor with the ability to steal credentials or perform malicious actions.