This vulnerability is a reflected cross‑site scripting flaw caused by improper neutralization of user input during web page generation. The flaw allows an attacker to inject arbitrary HTML or JavaScript that is reflected back to the victim’s browser. Based on the description, it is inferred that an attacker could exploit this to compromise user sessions or execute malicious code within the victim’s context.

The affected product is the Gavin Affiliate Tools Việt Nam WordPress plugin, with all versions from unspecified earlier releases up to and including 0.3.17 being vulnerable. The plugin is used as a WordPress extension, and any WordPress installation that has a vulnerable version installed is susceptible.

The CVSS score of 7.1 classifies the vulnerability as high severity. The EPSS score of less than 1% indicates a very low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no known malicious exploitation at this time. It is inferred that exploitation would require an attacker to deliver a crafted input—such as a specially formed URL or form submission—that is reflected in the page, enabling malicious JavaScript to run in the victim’s browser. The impact is confined to the victim’s client side and does not directly compromise the server.