The vulnerability is an improper neutralization of input during web page generation that results in a reflected cross‑site scripting flaw. Attackers can inject malicious script code into URLs or form fields processed by the Mass Messaging feature, thus executing arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, defacement, or phishing attacks, directly violating confidentiality, integrity, and availability of the site from the perspective of the affected users. The weakness is a classic input validation failure identified as CWE‑79.

The plugin affected is ElbowRobo Mass Messaging in BuddyPress, a WordPress plugin that extends BuddyPress functionality. The flaw applies to all releases from the initial release through version 2.2.1 inclusive. Systems running any of these versions are vulnerable and must be updated or disabled to mitigate risk.

The CVSS base score of 7.1 places this vulnerability in the medium‑to‑high severity range. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis, and the flaw is not listed in the CISA KEV catalog. The most likely attack vector is a reflected XSS scenario through the plugin’s input handling, requiring no special privileges and re‑executing only when a user accesses a crafted URL or submits a malicious form. While the low exploitation probability reduces immediate risk, the impact of a successful attack remains significant, warranting remediation.