The vulnerability is a Reflected Cross‑Site Scripting flaw caused by improper input neutralization during web page generation in the Legal + plugin. When user input is reflected back in the browser without adequate sanitization, malicious JavaScript can execute in the victim’s browser context. This exposure can lead to cookie theft, session hijacking, or defacement of the web page, thereby compromising the confidentiality and integrity of user sessions. The weakness is identified as CWE‑79.

The plugin jmraya Legal + is affected for all releases from the initial version up to and including version 1.0. Any WordPress installation running any version of Legal + through 1.0 is vulnerable.

With a CVSS score of 7.1, the flaw has moderate to high severity. The EPSS score of less than 1% indicates that exploitation is unlikely to be widespread, and the issue is not currently listed in the CISA KEV catalog. The attack vector is inferred to be remote, via a malicious URL or link that includes crafted query parameters or form input that is reflected by the plugin. Any authenticated or unauthenticated user who navigates to the vulnerable endpoint could be targeted, making this a broad‑scope client‑side threat that does not require elevated privileges.