The All push notification for WP plugin implements a Reflected XSS flaw due to insufficient input sanitization. This flaw can be triggered when an attacker supplies crafted data that is later rendered in a web page. If an authenticated or unauthenticated user views the affected page, the attacker can inject arbitrary JavaScript that may hijack sessions, alter page content, or launch phishing attacks.

Any WordPress site using the All push notification for WP plugin by gtlwpdev with a version equal to or older than 1.5.3 is affected. Versions earlier than the initial release also remain vulnerable if the plugin has not been updated. Site administrators should verify the installed plugin version and confirm that it is 1.5.4 or newer.

The CVSS score of 7.1 indicates a moderate to high risk. The EPSS score is below 1%, implying that active exploitation is unlikely at present. However, the vulnerability is not contained within CISA's KEV list, so no dedicated mitigation guidance exists. The likely attack vector is reflected XSS, which requires an attacker to entice a victim into visiting a manipulated URL or interacting with a malicious form that includes the vulnerable input. Successful exploitation would occur entirely on the client side, potentially giving attackers significant control over the victim’s browser session.