This vulnerability is a reflected cross‑site scripting flaw caused by improper input neutralization in the HasThemes WP Templata plugin. A malicious actor can craft a URL that injects JavaScript into the page, causing it to execute in the victim's browser. The effect is the execution of arbitrary client‑side code, which can lead to session hijacking, defacement, or data theft from the user’s session. The CVSS score of 7.1 indicates a high severity impact, while the EPSS score of less than 1 % implies a low likelihood of exploitation in the wild at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

The flaw affects the WordPress WP Templata plugin developed by HasThemes. All installations running version 1.0.7 or earlier are vulnerable. No specific sub‑versions were enumerated beyond this upper bound.

Given the high CVSS, the risk of damage is significant if an attacker can reach the vulnerable endpoint. The most plausible attack path is via a reflected parameter in a URL or form field, as indicated by the description; this is inferred because the vulnerability is described as reflected XSS. No requirement for authentication is stated, suggesting the exploit could be performed by a remote unauthenticated user. The low EPSS suggests that, although the technical risk is high, the chance of automated exploitation remains limited at present. Monitoring and patching remain advisable.