This vulnerability allows attackers to inject malicious scripts into reflected responses when the Simple Membership Custom Messages plugin processes user-supplied input. The plugin fails to neutralize input before rendering it in a web page, enabling Reflected Cross‑Site Scripting. This flaw may let an attacker inject JavaScript that executes in the context of a visitor's browser when a crafted URL is visited, potentially leading to session hijacking, credential theft, or arbitrary code execution within the victim's session.

Vulnerability affects the WordPress plugin ‘Simple Membership Custom Messages’ provided by wp.insider. All releases up to and including version 2.4 are impacted; newer versions are not known to be affected. The issue is relevant to WordPress sites that have the plugin installed and have its custom message functionality enabled.

CVSS score is 7.1, indicating a medium severity vulnerability with high impact potential. The EPSS score of less than 1% suggests a low probability of exploitation, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is through a crafted URL or form input that the plugin reflects back to the browser. Successful exploitation requires the victim to visit the malicious link or to input malicious data into the custom message field, after which the malicious script executes in the victim’s browser.