Reflected cross‑site scripting (XSS) occurs when untrusted data is reflected back to the browser without proper escaping, allowing an attacker to inject arbitrary client‑side scripts. In this case, the shalomworld SW Plus plugin fails to neutralize user input during page generation, thereby permitting attacker‑supplied payloads to execute in the victim’s browser. This weakness can lead to session hijacking, credential theft, defacement, or the delivery of other malicious content to unsuspecting users. The vulnerability is classified under CWE‑79 – Improper Neutralization of Input During Web Page Generation.

Affected hosts are those running the SW Plus plugin from shalomworld, for versions up until 2.1, inclusive. The plugin is a WordPress media gallery add‑on, commonly found on sites that use shalomworld’s Media Gallery functionality. Any WordPress installation that includes SW Plus 2.1 or earlier is potentially susceptible, while releases 2.2 and later incorporate the fix described by the vendor.

The CVSS score of 7.1 indicates medium‑high severity. EPSS is <1%, suggesting that overall exploitation probability is low but still non‑zero. The vulnerability is not yet listed in the CISA KEV catalog. Attackers can likely exploit it by crafting URLs or form inputs that include malicious JavaScript, which the plugin then reflects back in the page HTML. Because it is a reflected XSS, the attack requires user interaction to load the malicious page; however, on sites with open search or public comments, an attacker could embed the payload in a link and persuade visitors to click. Mitigating this risk requires applying the vendor patch or disabling the problematic functionality until it can be updated.