The Fast Tube plugin contains an improper neutralization of input during web page generation that enables a reflected cross‑site scripting (XSS) vulnerability in the plugin’s handling of user‑controlled data. An attacker can embed arbitrary HTML or JavaScript payloads into query parameters, causing the script to execute in the context of a victim’s browser. This flaw may lead to credential theft, session hijacking, or defacement, as the injected code is rendered with the same privileges as the authenticated user who visits the malicious URL. The weakness aligns with CWE‑79, which covers XSS attack vectors where user input is reflected without adequate filtering.

The vulnerability affects the Caspie Fast Tube WordPress plugin in all releases up to and including version 2.3.1. Users running any version from the earliest available iteration through 2.3.1 are potentially exposed, as the impacting code path exists in each of those releases.

The CVSS score of 7.1 indicates a high level of severity and the EPSS score of less than 1% suggests that, at present, active exploitation is unlikely; the vulnerability is also not listed in the CISA KEV catalog. However, because reflected XSS can be triggered via a crafted HTTP request, the theoretical attack surface remains significant for any site where the plugin actively processes inbound query strings. An attacker can typically exploit the flaw remotely by convincing a user to click a malicious link or to have a malicious host embed a malicious image that forces the vulnerable page to load with injected parameters.