The Empty Tags Remover plugin for WordPress contains an improper neutralization of user input during page generation, resulting in a reflected cross‑site scripting flaw. When an attacker crafts a URL that includes malicious script payloads, the plugin fails to sanitize the input before rendering it in the browser. This allows execution of arbitrary JavaScript in the context of the victim’s session, potentially leading to cookie theft, session hijacking, or redirection to malicious sites.

The vulnerability affects any installation of Dan‑Lucian Stefancu’s Empty Tags Remover plugin version 1.0 or earlier. No vendor listed other than the plugin author; documentation indicates the issue exists through version <=1.0. Users who have upgraded to a newer version are not impacted.

The CVSS score of 7.1 reflects a medium‑to‑high severity due to the impact on confidentiality and integrity of user sessions. The EPSS score is reported as less than 1 %, suggesting exploitation attempts are infrequent, and the vulnerability is not listed in CISA’s KEV catalog. However, reflected XSS is a well‑known vector, and if the plugin’s output can be crafted by an attacker, the flaw can be exploited via benign URL manipulation, with no special credentials or privileged access required. The primary attack surface is the web interface where the plugin processes query parameters or form data.