This vulnerability is an improper neutralization of input during web page generation, allowing an attacker to embed malicious JavaScript code that is reflected back in the response to a victim. When a user views data submitted through the Contact Form 7 Round Robin Lead Distribution plugin, the script runs in the victim’s browser, giving the attacker the ability to steal session cookies, hijack the user’s session, or deface the site. The weakness is identified as CWE‑79.

WordPress plugin Contact Form 7 Round Robin Lead Distribution by David Jeffrey, any installation of the plugin with a version equal to or lower than 1.2.1.

The CVSS score of 7.1 indicates a high impact, while the EPSS score of < 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the XSS by sending a crafted request to the plugin’s endpoint which reflects user input back to the visitor. Because the flaw is reflected XSS, the attacker must control the input that is reflected in the response, typically by manipulating a form or URL that the victim visits. Those who administer the site or can inject content through the plugin may exploit it, and security teams should monitor for suspicious traffic and promptly patch or mitigate the vulnerable code.