The Cookies Pro plugin for WordPress fails to neutralize input that it subsequently displays in web pages, resulting in a reflected cross‑site scripting flaw. A malicious actor can embed JavaScript or other executable payloads into a value that the plugin echoes back to the browser. Upon visiting the affected page, the payload executes in the victim’s context, allowing the attacker to steal session data, bypass secondary authentication, or perform further phishing attacks. This is a classic example of CWE‑79 because user supplied data is not properly filtered before rendering.

Any WordPress site that has the Pixelpro Cookies Pro plugin version 1.0 or earlier is vulnerable. No lower bound on the version was provided, so installations from the earliest release up to and including 1.0 may all be affected. Operators should verify the presence of the plugin and its version before applying remediation.

The CVSS score of 7.1 classifies this flaw as medium‑high severity. The EPSS score of less than 1% indicates a very low likelihood that an attacker will exploit this vulnerability at present, and the vulnerability is not catalogued in the CISA KEV list. The weakness can be triggered via a web request that includes the malicious input, so an attacker only needs to lure a victim to the crafted URL or embed the payload in a link that the victim clicks. Because the flaw is reflected, it affects any user who visits the malformed page, but it does not persist beyond the dedicated request. Thus the risk to a site is significant primarily for sites with vulnerable visitors and no strong orthogonal controls.