The vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to inject malicious script into a page that is then reflected back to the victim. This reflected XSS can be triggered by sending a crafted URL to a vulnerable user, enabling theft of session cookies, defacement, or execution of malicious code in the user’s browser. The weakness is marked as CWE-79 and poses a moderate confidentiality and integrity risk to visitors of the affected WordPress site.

The issue affects the WordPress plugin Meta Accelerator developed by Yuichiro ABE. All releases from the initial public version up to and including version 1.0.4 are vulnerable. Site owners running any of these plugin versions should consider updating or removing the plugin.

With a CVSS score of 7.1, the vulnerability is considered high enough to warrant attention, yet its EPSS score of less than 1 percent indicates a low probability of widespread exploitation at present. Because the flaw is triggered via a reflected XSS vector in the browser, any user who follows a malicious link on a page served by the site could be affected. The vulnerability is not yet listed in the CISA KEV catalog, and there are no publicly documented exploits, so immediate patching remains the safest course.