This vulnerability arises from improper neutralization of input during web page generation in the WordPress WP Easy Post Mailer plugin. A flaw in the way the plugin processes user‑supplied data allows attackers to embed malicious JavaScript that is reflected back in the page. An attacker can inject scripts through crafted URLs or form inputs, which will be executed in the victim’s browser when the vulnerable page is rendered. The impact is the compromise of user session data, defacement, or theft of sensitive information, affecting confidentiality and integrity within the site’s front‑end environment.

The affected product is the WP Easy Post Mailer plugin developed by Richard Leishman. All versions from the earliest release through version 0.64 are impacted. Users installing any of these versions on a WordPress site are vulnerable if the plugin is active and the related input fields are exposed to untrusted users.

The assigned CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, so there are no documented exploits at this time. The attack vector is likely to be remote, leveraging crafted queries or input fields that result in reflected content. If an attacker can lure a site visitor to a maliciously crafted link, the user’s browser can be tricked into executing arbitrary JavaScript, leading to credential theft, cookie hijacking, or defacement of the web page.