Improper neutralization of user‑supplied input during web page generation in the Muneeb:Mobile rocket-wp-mobile plugin creates a reflected cross‑site scripting vulnerability. The plugin does not encode or validate data echoed back to the browser, enabling an attacker to craft a URL or form that contains malicious script which is executed in the victim’s browser when the page is rendered. This flaw allows arbitrary JavaScript execution in the context of the site, potentially enabling attackers to manipulate page content, interfere with user interactions, or conduct phishing attacks.

The vulnerability affects all releases of the Muneeb:Mobile rocket-wp-mobile WordPress plugin up through version 1.3.3. This includes any site that has installed the plugin from its earliest release through that limit.

The CVSS score of 7.1 indicates moderate to high severity. The EPSS score of less than 1 % suggests a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is remote; any visitor to the site can trigger the reflected XSS by accessing a malicious link or submitting a crafted form that the plugin reflects back. No special privileges or network access are required beyond public web access.