Improper neutralization of user‑supplied input during page rendering in the Admin Options Pages plugin can cause reflected XSS. An attacker controlling a URL parameter or form input can inject malicious JavaScript that executes in the victim's browser when a vulnerable page is rendered, potentially leading to session hijacking, credential theft or defacement of the site. The weakness is a classic input‑validation flaw (CWE‑79).

WordPress sites that have the Admin Options Pages plugin by Johannes van Poelgeest installed in any version up through 0.9.7 are affected. The plugin is referenced as "Admin Options Pages" and no newer fixed releases are listed in the supplied data.

The CVSS score of 7.1 indicates high severity; the EPSS score of <1% shows that, currently, the probability of exploitation is very low, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is network‑based: a remote attacker could craft a malicious URL or form that is served by the vulnerable WordPress site. If the victim user or a site visitor processes that page, the injected script runs with the context of the site, presenting an opportunity for attackers to steal session cookies, deface content, or propagate malware. The conditions for exploitation are simple: the plugin must be active and the vulnerable page rendered, but no additional privileges are required beyond access to the affected URL.