The Secure Invites plugin for WordPress contains an improper neutralization of input that enables reflected cross‑site scripting. An attacker can supply crafted query parameters that are reflected in the browser page without encoding, allowing the execution of arbitrary JavaScript in the victim’s session. This flaw may be used to steal credentials, deface the site, or redirect users to malicious domains. The weakness is classified as CWE‑79 and affects confidentiality and integrity for users who load the vulnerable page.

The vulnerability is present in all releases of the Chris Taylor Secure Invites plugin up to and including version 1.3. It applies to WordPress installations that use the cumulative plugin under the names Secure Invites or wordpress‑mu‑secure‑invites. Sites using older or newer releases are not affected. Administrators should verify the installed version and scan for any presence of the plugin in their multisite network.

The CVSS score of 6.5 places the flaw in the medium severity range, while the EPSS score of less than 1 % indicates an extremely low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the weakness by navigating a victim to a specially crafted URL that includes malicious script in the query string, relying on the plugin’s lack of input sanitization before rendering the output. Because the flaw is reflected rather than stored, only time‑limited or phishing attacks are possible unless the attacker can influence the page’s content directly with an injection vector.