Improper neutralization of input during web page generation generates a reflected cross-site scripting flaw in the NotFound PrivateContent WordPress plugin. When an attacker supplies malicious data as part of a URL or form that is later echoed back by the plugin, the input is not filtered or encoded. The resultant script executes in the context of the victim’s browser, allowing the attacker to hijack sessions, steal cookies, deface the site, or exfiltrate confidential data. This is a moderate-to-high severity flaw (CVSS 7.1).

WordPress sites that use the PrivateContent plugin version 8.11.5 or earlier are affected. The vulnerability is present across all releases from the first introduction through 8.11.5, as noted by the vendor statement. Site owners should verify the exact plugin version installed and compare against the upgrade path that includes the fix (v8.11.6 or later).

The CVSS score of 7.1 indicates medium-to-high impact, while the EPSS score of <1% shows that, as of the data, exploitation attempts are rare. The vulnerability does not appear in the CISA KEV catalog. Likely attack vectors are remote, via crafted URLs or form submissions that gain execution in the victim’s browser. Because the flaw triggers client-side code execution, it requires the user to visit a page that includes the unfiltered input. No specific authentication or privilege escalation is required, so any user visiting the vulnerable page could be impacted.