A reflected cross‑site scripting vulnerability exists in the WordPress plugin Danish Ali Malik Top Bar – PopUps – by WPOptin. Unsanitized input from a web request is output in an HTML page, allowing an attacker to inject malicious script that runs in the victim’s browser. The impact includes the potential for session hijacking, theft of user credentials, defacement and other client‑side attacks that can compromise confidentiality, integrity, and availability of the site and its visitors.

All WordPress installations that use the Danish Ali Malik Top Bar – PopUps – by WPOptin plugin with a version of 2.0.8 or earlier are impacted. The vulnerability applies to any site that has this plugin installed, regardless of the WordPress version.

The CVSS score of 7.1 categorizes the flaw as high severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an attacker crafting a malicious URL or input that is subsequently viewed by a user, making user interaction necessary. Based on the description, it is inferred that once triggered, the reflected payload executes in the victim’s browser, which can be used for malicious purposes such as cookie theft or session hijack.