This vulnerability is an Improper Neutralization of Input During Web Page Generation, allowing attackers to inject malicious scripts that are reflected back to the victim’s browser. Attackers could trick users into visiting a crafted URL that contains arbitrary JavaScript, leading to malicious code execution, theft of credentials, session hijacking, or defacement of the site. The weakness is a classic reflected Cross‑Site Scripting flaw, aligning with CWE‑79.

The Easy Code Placement plugin from the WordPress ecosystem, maintained by wusserheimer, is affected. Any installation running the plugin at version 18.11 or older is vulnerable, and, per the vendor, any version from the original release (n/a) up through 18.11 is susceptible.

The EPSS score indicates less than 1% probability that this vulnerability will be exploited in the wild, and it is not listed in the CISA KEV catalog, suggesting low current exploitation activity. The attack vector most likely relies on a maliciously crafted request that leverages the plugin’s code rendering endpoint, requiring the victim to click a link or visit a URL in a browser. Because the flaw is remote and reflects user input without sanitization, it can be exploited without additional authentication or local access, elevating the risk especially on sites that allow untrusted users to submit code via the plugin.