The vulnerability in the WP Discord Post plugin is an improper neutralization of input during web page generation, classified as a reflected XSS (CWE‑79). When an attacker supplies crafted input that the plugin reflects back into a page, arbitrary JavaScript can execute in the victim’s browser. An attacker can then steal credentials, hijack sessions, or redirect users to malicious sites, potentially compromising confidentiality, integrity, and availability of the site’s frontend. No privileged server access is required; the impact is limited to clients who open the affected content.

The flaw affects any WordPress installation running the WP Discord Post plugin version 2.1.0 or earlier. The plugin is developed by Nicola Mustone, and the vulnerability applies across all affected releases from any previous version through 2.1.0.

The CVSS base score of 7.1 indicates a medium‑to‑high risk. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the flaw is not listed in the CISA KEV catalog. The likely attack vector involves a crafted URL or form submission that the plugin processes and reflects back without proper sanitization. Authentication is not required; the attack works on any page that displays the reflected data, making it a client‑side vulnerability but with potentially serious consequences if user sessions are compromised.