The flaw is an improper neutralization of user input that allows attackers to inject malicious script code into webpages rendered by the seekXL Snapr WordPress plugin. This reflected XSS issue, classified as CWE‑79, lets an attacker execute arbitrary JavaScript in the browser of any user who views a crafted page. The resulting impact can include session hijacking, credential theft, or the delivery of malware. The plugin reflects unsanitized input back to the page, providing a vector for script injection.

The vulnerability affects the Tim:seekXL Snapr plugin for WordPress, specifically all releases from the first available version through and including version 2.0.6. WordPress sites that have installed or are running any of these versions are vulnerable until the plugin is updated or removed.

The CVSS score of 7.1 signals a high severity vulnerability that does not require special privileges. The EPSS score of less than 1% indicates that, at present, exploitation attempts are rare, and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can exploit the flaw by delivering a crafted URL or input that the plugin echoes, and an attacker only needs to entice a user to visit a malicious link. Because the vulnerability can affect all users of an affected WordPress site, the risk remains significant and warrants timely remediation.