The vulnerability is an improper neutralization of input during web page generation, enabling reflected cross-site scripting within the MJ Contact us plugin. If an attacker crafts a URL that includes malicious script content, that script executes in the victim’s browser when the link is visited, potentially hijacking sessions, stealing cookies or defacing the site. The flaw is documented as CWE-79 and does not provide remote code execution on the server, but it does compromise the integrity and confidentiality of a user’s session data.

The affected product is the MJ Contact us WordPress plugin developed by anildhiman. Versions from the beginning of its release timeline up to and including 5.2.3 are impacted. Users should verify their installed version and plan for remediation if it falls within this range.

The CVSS score is 7.1, indicating high severity for an XSS flaw. The EPSS score is less than 1%, suggesting a low probability of widespread exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves a user clicking a maliciously crafted link or visiting a specially crafted URL, after which the attacker’s script runs in the victim’s browser context. While exploitation requires user interaction, the impact on user sessions can be significant if the attacker succeeds.