The vulnerability exists in the WordPress Guten Free Options plugin, where user-supplied data is not properly neutralized before being included in dynamically generated web pages. This flaw enables a reflected cross‑site scripting (XSS) attack that can be exploited to inject and execute arbitrary JavaScript within the victim's browser. Such an attack can compromise user sessions, steal credentials, deface content, or deliver phishing payloads.

The flaw affects the Guten Free Options plugin distributed by Tony Hayes. All releases from the earliest version up to and including 0.9.7 are vulnerable. Sites running any of those plugin versions are at risk.

The CVSS score of 7.1 signifies a high‑severity vulnerability that can be triggered remotely by delivering a crafted request to the affected plugin. The EPSS score of less than 1% indicates that currently there is a low probability of exploitation in the wild, and the vulnerability has not been listed in the CISA KEV catalog. Nonetheless, because the flaw permits reflected XSS, an attacker could potentially execute malicious JavaScript in the context of the target site’s users without requiring prior authentication. The most likely path involves sending a malicious link or embedding a forged form that includes unsafe script content, which the plugin then renders into the page without sanitization.