The BSK Forms Validation plugin contains an Improper Neutralization of Input During Web Page Generation (CWE‑79) flaw that allows reflected XSS. When users submit form data that is not properly sanitized, the input is echoed back into the page, enabling an attacker to embed malicious JavaScript. An attacker can use this to hijack sessions, steal credentials, or deface the site. The vulnerability is limited to the plugin’s form processing logic and does not grant direct server access, but it can have severe client‑side consequences. The attack requires only a crafted request and the victim’s browser rendering the response.

Bannersky’s BSK Forms Validation plugin, WordPress sites that have installed the plugin in any version up to and including 1.7. No other vendors or products are affected.

The CVSS score of 7.1 indicates high risk with moderate complexity and requires user interaction. The EPSS score is less than 1%, suggesting that active exploitation in the wild is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog, so there is no known mass exploitation campaign. An attacker can exploit the flaw by sending a specially crafted form submission with a malicious payload that will be reflected in the resulting page. The attacker only needs to entice a user to visit or submit that form; no additional privileges or system access are required.