Improper Neutralization of Input During Web Page Generation in the themeglow Cleanup – Directory Listing & Classifieds WordPress Plugin allows an attacker to inject malicious script into pages that are rendered to end users. This reflected cross‑site scripting flaw (CWE‑79) can lead to session hijacking, defacement, or delivery of malware when a victim visits a crafted URL containing malicious JavaScript. The vulnerability is triggered by unsanitized input that the plugin echoes back in the generated web content.

All installations of the cleanup‑light plugin version 1.0.4 or earlier on any WordPress site are vulnerable. The affected product is the themeglow Cleanup – Directory Listing & Classifieds WordPress Plugin, with the vulnerability impacting all versions released up to 1.0.4. No other vendors or products are listed as affected.

The CVSS score of 7.1 classifies this as a moderate to high severity flaw, but the EPSS score of less than 1 % indicates a very low current exploitation probability in real-world attacks. The flaw is listed as not present in the CISA KEV catalog. The likely attack vector is a remote web request that contains a specially crafted parameter; the attacker does not need local privileges, though the victim must interact with the vulnerable page. Because the flaw works through reflected input, it may be exploitable via social engineering or malicious links. Despite the low EPSS, the potential for damaging XSS impacts warrants prompt remediation.