The Content Mirror plugin by dreamsofmatter is vulnerable to reflected cross‑site scripting because it fails to properly neutralize user input that is included in the generated web page. A malicious user can embed arbitrary JavaScript or other active content into the query parameters, and when the plugin processes the request the payload is returned unchanged in the response. Execution of such scripts occurs in the context of the victim’s browser. The CVE description states that the flaw may compromise confidentiality, integrity, or availability. Based on the nature of reflected XSS, common consequences—such as the theft of session cookies, credential extraction, or manipulation of the page—can be inferred, although the CVE text does not explicitly cite these outcomes.

Affected systems are WordPress installations that have the Content Mirror plugin installed, version 1.2 or earlier. The vulnerability applies regardless of user role or authentication status; any user who can access the plugin’s output can be targeted.

The CVSS score of 7.1 denotes a high severity. The EPSS score of <1 % indicates a low probability that exploit code is actively circulating. The vulnerability is not listed in the CISA KEV catalog. While the CVE entry does not provide an explicit attack vector, the nature of a reflected XSS flaw implies that attackers would likely craft URLs that carry malicious payloads in query strings and lure victims into visiting them. Since the flaw is triggered by unsanitized input, it can be exploited remotely by any networked user with access to the vulnerable URL.