The vulnerability is an instance of Improper Neutralization of Input During Web Page Generation, which enables reflected Cross‑Site Scripting. Attackers can embed malicious scripts into a URL or form that TotalContest Lite echoes back to users. The injected payload can execute in the victim’s browser, potentially stealing session cookies, defacing content, or redirecting users to phishing sites. This weakness is identified as CWE‑79.

TotalSuite’s TotalContest Lite plugin for WordPress is affected. All releases from the earliest available version up through 2.8.1 contain the flaw. Users running any of these versions on a WordPress site are susceptible.

The CVSS score of 7.1 classifies this as a high‑severity vulnerability, while the EPSS score of < 1 % indicates a very low probability of exploitation in the wild. At present the vulnerability is not listed in CISA’s KEV catalog, suggesting no active exploitation campaigns. The flaw can be exploited remotely by delivering a crafted payload via an HTTP request that includes vulnerable parameters, and the victim reconstructs the malicious script in the browser. Because the supplied payload is reflected, an attacker only needs a link or an embedded form to trigger execution, making the attack relatively straightforward for an adversary with a basic knowledge of XSS.