The vulnerability is an improper neutralization of user input during page generation in PickPlugins Wishlist. An attacker can supply crafted input that the plugin reflects back to a visitor’s browser as part of a generated page. This reflected Cross‑Site Scripting can lead to arbitrary JavaScript execution within the context of the website. While the CVE description does not list specific outcomes such as session hijacking or credential theft, these are typical potential results for reflected XSS and are therefore inferred from the nature of the flaw. The impact therefore includes the possibility of compromising the confidentiality, integrity, or availability of the site and its users if malicious script is executed.

All releases of the WordPress Wishlist Plugin distributed by PickPlugins through version 1.0.39 are affected. Sites that have installed any of these versions are vulnerable until the issue is remediated. Versions newer than 1.0.39 are not impacted by this particular issue.

The CVSS score of 7.1 indicates a high severity. The EPSS score of less than 1 % suggests that exploitation is unlikely under current conditions. The CVE is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply input that is echoed back, typically by delivering a crafted URL or form to a user, or by exploiting any feature that accepts unauthenticated input. No active exploitation is reported. The overall risk remains moderate to high for active sites that expose vulnerable input paths.