The vulnerability is an improper neutralization of input during web page generation that allows reflected cross‑site scripting in the DN Sitemap Control WordPress plugin up to version 1.0.6. The plugin reflects unsanitized user‑supplied data back into the HTTP response, enabling an attacker to inject and execute arbitrary JavaScript in a victim’s browser. Exploitation can lead to session hijacking, credential theft, defacement, or the delivery of malicious payloads, compromising the confidentiality and integrity of data accessed through the affected site.

The flaw affects the WordPress plugin DN Sitemap Control from digireturn, specifically all releases through and including 1.0.6. System administrators should review any site employing this plugin within that version range.

The CVSS score of 7.1 indicates a high severity reflected XSS, while the EPSS score of < 1% suggests a low probability of widespread exploitation at the present time. The feature is not yet cataloged in CISA’s KEV list. An attacker would need to craft a malicious URL or form input that the plugin mirrors into the page, and the victim would have to visit that URL or submit the input. Because it requires user interaction, the real‑world risk depends on the site’s traffic and the attacker’s ability to entice users.