The wp-flickr-press plugin contains an improper neutralization of user input during page generation. This flaw allows an attacker to inject arbitrary JavaScript that is reflected back in the response served to a victim. The injected script runs in the victim’s browser context, and while the description does not specify downstream effects, such code could, in principle, compromise the victim’s session or alter page content. (Based on the description, it is inferred that the impact is the execution of malicious script in users’ browsers.)

The plugin \"wp-flickr-press\" by developer tatsuya is affected. Any WordPress installation that uses the plugin with version 2.6.4 or earlier is at risk. No fixed version is cited, so all installations of those versions must be considered vulnerable.

The CVSS score of 7.1 places the vulnerability in the High severity range. The EPSS score below 1% indicates a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker crafting a URL that contains the malicious input; when an end-user follows the link, the reflected script executes in their browser, potentially leading to damage or fraud. This exploitation path requires only the presence of a victim with the vulnerable plugin and a URL containing the reflected payload.