This vulnerability is an instance of improper neutralization of input during web page generation. The WordPress User Role plugin fails to escape user controlled data, enabling a reflected Cross‑Site Scripting attack. An attacker can inject arbitrary JavaScript that runs in the victim's browser when the vulnerable page is accessed. The impact includes theft of session data, defacement, and the facilitation of phishing or malware distribution, as defined by CWE‑79.

The weakness resides in the ehabstar WordPress User Role plugin, affecting all versions through and including 1.0. Users running any release of this plugin, from the first available version up to and including 1.0, are potentially exposed.

The CVSS score of 7.1 indicates a moderate to high severity with a client‑side impact. The EPSS score of less than 1% suggests that exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to deliver a crafted URL or form that contains malicious input, which is then reflected without proper sanitization. If a user visits such a URL, the injected script executes in their browser context, allowing the attacker to obtain sensitive information or perform actions on behalf of the victim.