The issue is an instance of Improper Neutralization of Input During Web Page Generation, commonly known as Cross‑Site Scripting. Attackers can embed malicious JavaScript in user‑supplied data that the plugin echoes back to the browser. Because the injected script runs in the victim’s browser context, an attacker could steal session cookies, deface the front‑end, or redirect users to malicious sites, thereby compromising confidentiality and integrity of the website’s front‑end.

The vulnerability affects the WP Frontend Submit plugin from newbiesup, specifically every release through version 1.1.0. WordPress sites that have not upgraded beyond this version and still use the plugin for front‑end form submission are potentially exposed.

The CVSS score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests exploitation attempts are expected to be rare. The vulnerability is not listed in the CISA KEV catalog. Attackers must be able to supply a malicious payload in a request processed by the plugin, so the attack requires user interaction, such as clicking a crafted link or submitting a malicious form.