A reflected XSS flaw exists in the Advanced Custom Fields: Link Picker Field plugin, allowing an attacker to inject malicious JavaScript into web pages viewed by users who interact with crafted URLs or payloads. The vulnerability arises from improper neutralization of user input during web page generation, enabling the execution of arbitrary scripts in the victim's browser. Depending on the attacker's intent, this could lead to session hijacking, credential theft, defacement, or the delivery of malware. The weakness is identified as CWE‑79 and it compromises confidentiality, integrity, and availability of the affected sites for any user who loads the vulnerable content.

The issue affects the caalami plugin Advanced Custom Fields: Link Picker Field, versions from the original release (n/a) up to and including 1.2.8. All installations of this plugin that have not upgraded beyond version 1.2.8 are potentially vulnerable.

The CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1% suggests exploitation in the wild is currently unlikely. The vulnerability is not yet listed in the CISA KEV catalog. The likely attack path involves an attacker constructing a malicious URL that injects a payload into a parameter rendered by the plugin; when a victim visits that URL, the script executes. The access requirement is typically public or community‑level, making the attack vector consistent with reflected XSS bi‑directional exploitation.