The weakness resides in the WordPress File Search plugin’s handling of user input during page rendering, allowing a maliciously crafted query parameter to be reflected in the resulting HTML without proper neutralization. This flaw permits an attacker to inject arbitrary JavaScript that executes in any victim’s browser when the crafted URL is visited. Consequences include theft of session cookies, authorization token hijacking, defacement of the site, and potential delivery of additional malware through in‑browser exploitation. The vulnerability manifests as a classic Cross‑Site Scripting (CWE‑79) flaw affecting client‑side integrity and confidentiality.

Systems that run WordPress with the markcoker WordPress File Search plugin version 1.2 or earlier are affected. Any WordPress instance deploying this plugin with a version from the initial release through 1.2 contains the vulnerability.

The CVSS score of 7.1 classifies the issue as a high‑severity vulnerability. Exploitation requires an attacker to entice a user to visit a URL under the attacker’s control, which is feasible via phishing or social engineering. The EPSS score of less than 1% suggests that, while exploitation is not widespread, the probability is still non‑zero, and the low probability does not diminish the potential impact. The plugin is not listed in the CISA KEV catalog, indicating no confirmed exploits as of the last publish. The primary attack vector is reflected XSS, and a successful payload would execute within the victim’s browser context, leading to client‑side compromise.