The WP Multistore Locator plugin for WordPress contains an improper neutralization of script‑related HTML tags, leading to a reflected cross‑site scripting flaw. An attacker can send a crafted request containing malicious script payloads that the plugin reflects back in the resulting page. If a victim clicks the malicious link or visits the injected URL, the script executes in their browser, allowing the attacker to steal session cookies, hijack the user session, deface websites, or deliver additional malware. This vulnerability is a classic reflected XSS, listed under CWE‑79 and CWE‑80.

Affected vendors and products include WPExperts.io’s WP Multistore Locator plugin. The flaw is present in all released versions up to and including 2.4.7. No specific patch release is mentioned, so any installation of the plugin with a version number less than or equal to 2.4.7 is vulnerable.

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests a very low exploitation probability at present. The plugin is not listed in the CISA KEV catalog, and no exploit has been observed in the wild. Likely, the attack vector is remote, via a web request that contains attacker‑controlled input reflected in the response. A victim must view the vulnerable page after receiving the crafted payload, so the risk is limited to users who interact with the compromised link or site. Nonetheless, because XSS can lead to credential theft or defacement, administrators should address it promptly.