The TTT Crop WordPress plugin contains an Improper Neutralization of Input During Web Page Generation weakness that permits reflected XSS attacks. An attacker can inject malicious JavaScript into the page response by manipulating input that the plugin reflects back to the user. This flaw, classified as CWE‑79, could allow the execution of arbitrary code in the victim’s browser, leading to session hijacking, data theft, or defacement of the site.

The vulnerability affects the gabrielperezs TTT Crop plugin for WordPress, specifically all releases from the earliest available version up to and including version 1.0. Site administrators using this plugin should verify the installed version and consider upgrading or removing the plugin.

The CVSS score of 7.1 places the flaw in the high severity band, while the EPSS score of less than 1% indicates a low probability of exploitation at this time, and it is not listed as a known exploited vulnerability by CISA. The likely attack vector is client‑side: an attacker must direct a victim to a crafted URL or form input that the plugin reflects. A victim’s browser will execute any injected script, unless mitigated by mitigations such as a strict Content Security Policy. The attack does not require authentication and does not affect system integrity beyond the victim’s browser context.