This vulnerability is a Cross‑Site Request Forgery that enables a reflected Cross‑Site Scripting attack. The WP Service Payment Form With Authorize.net plugin echoes data from a forged request back to the browser without proper sanitization. Based on the description, it is inferred that a malicious actor can craft a URL that, when clicked by a legitimate user, triggers the vulnerable flow and injects JavaScript into the response. The injected script executes in the victim’s browser context, creating a risk of credential theft, session hijacking, or defacement.

The vulnerability impacts the WordPress plugin WP Service Payment Form With Authorize.net published by Shiv Prakash Tiwari. All releases up to and including version 2.6.0 are affected; newer versions are assumed to contain the fix.

The CVSS score of 7.1 indicates high severity while the EPSS score of less than 1 % signals a low current exploitation probability. Attackers would typically entice a legitimate user to click a crafted link that triggers the plugin’s vulnerable flow. The reflected payload is executed only in the victim’s browser, so the impact is limited to the individual user’s session, but could lead to cookie theft, malicious redirects, or site defacement.