The EU DSGVO Helper WordPress plugin up to version 1.0.6.1 contains an improper neutralization of input vulnerability that allows attackers to inject and execute arbitrary JavaScript when a victim accesses a crafted URL. Based on the description, it is inferred that payloads injected through reflected parameters could steal cookies, deface pages, or facilitate phishing. The weakness is a Cross‑Site Scripting flaw defined as CWE‑79. The impact is confined to the browsers of users who visit the affected site and does not directly compromise server‑side code or data.

WordPress sites running the EU DSGVO Helper plugin version 1.0.6.1 or earlier are affected. Site administrators should verify the installed plugin version and update or remove the component accordingly. No other WordPress core or plugin versions are listed as vulnerable.

The CVSS score of 7.1 indicates a medium to high severity vulnerability with a wide potential impact on user data and site integrity. The EPSS score of less than 1% suggests that, at the time of assessment, the likelihood of active exploitation is low, and the vulnerability is not currently identified in CISA’s KEV catalog. Based on the description, it is inferred that attackers would likely trigger the flaw via a remote link or social‑engineering attack, leveraging the reflected XSS path in an unauthenticated context. Although the exploit probability is modest, the absence of a published exploit does not negate the need for timely remediation.