The CryoKey plugin for WordPress contains a reflected cross‑site scripting vulnerability in the 'ckemail' parameter due to insufficient input sanitization and output escaping. An unauthenticated attacker can embed arbitrary JavaScript into a crafted URL, which will execute in the victim’s browser if the user clicks the link. While the flaw does not grant direct code execution or administrative privileges, it allows attackers to steal session cookies, deface content, or load malicious payloads, thereby compromising user confidentiality and integrity.

This vulnerability affects the CryoKey plugin for WordPress, specifically all releases up to and including version 2.4. Systems running these plugin versions, regardless of the host WordPress installation, are susceptible to the flaw.

The CVSS score of 4.7 categorizes the issue as low to moderate severity, and an EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, reflecting its limited exposure. Attackers can exploit the flaw without authentication, but the vector requires social engineering: a malicious link must be clicked by a user who has access to a page that passes the 'ckemail' value to the vulnerable plugin. An attacker could hijack sessions, deliver malware, or compromise user accounts, but the attack is limited to the browsers that load the compromised content.