This flaw is an Improper Neutralization of Input During Web Page Generation vulnerability that permits a reflected XSS bug in the SpiderDisplay plugin for WordPress. It allows an attacker to inject malicious JavaScript or HTML into pages that are displayed to users. By causing unintended script execution the attacker can hijack user sessions, steal login credentials, or perform phishing attacks against visitors. The weakness is a classic input validation issue classified as CWE‑79.

WordPress sites that use the SPIDERDISPLAY plugin from any version up to and including 1.9.1 are vulnerable. The plugin is listed under the vendor 'fyljp' with the product name SpiderDisplay. If a site runs SpiderDisplay 1.9.1 or earlier it is affected; no other WordPress core or plugin versions are implicated by this entry.

The CVSS score of 7.1 indicates a high‑severity exposure in the medium‑to‑high risk range, but the EPSS score of less than 1% shows a very low likelihood of active exploitation at the time of analysis. The flaw is not in the CISA KEV catalog. Based on the description the likely attack vector is a reflected XSS scenario, where an attacker crafts a malicious URL or form input that, when opened by another user, executes arbitrary JavaScript. It requires a victim to visit the distorted URL or submit a forged form, so the attack needs user interaction but can be carried out through any public or internal web page that loads the plugin.