The vulnerability is a reflected XSS flaw caused by improper sanitization of user‑supplied input before rendering on a web page. This flaw enables an attacker to inject and execute arbitrary JavaScript in the browser of any user who visits a crafted URL. An attacker could use the injected code to steal session cookies, deface the site, or redirect victims to malicious sites, compromising confidentiality and availability of the web interface.

The flaw exists in the WP Church Center plugin for WordPress from the earliest release, including all versions up to and including 1.3.3. The affected product is offered by wpchurchteam and used within WordPress installations that provide church‑center functionality. No patch version is listed, so any deployment running 1.3.3 or earlier is vulnerable.

The CVSS base score of 7.1 indicates a medium to high severity, and the EPSS score of less than 1 % shows a low likelihood of exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. An attacker would need to lure a user to a crafted link or embed the payload in a URL that the plugin accepts as part of a request; no special privileges or authentication are required. Because the flaw is reflected, the impact is limited to the end‑user’s browser but can be leveraged for phishing or credential theft.