The Landing Page Cat plugin contains an improper neutralization of input during page generation that allows reflected cross‑site scripting. Input parameters supplied to the plugin are not properly escaped, so an attacker can embed arbitrary JavaScript in the page output. The flaw is classified as CWE‑79 and results in malicious script execution within the context of the compromised site.

All installations of the fatcatapps Landing Page Cat WordPress plugin released up to and including version 1.7.8 are vulnerable. The issue applies to every release prior to and including that version, affecting sites that have those plugin versions installed.

The CVSS score of 7.1 indicates a moderate‑to‑high severity for the vulnerability. The EPSS score is reported as less than 1%, suggesting a low probability of exploitation in the wild at the time of this analysis. It is not listed in the CISA KEV catalog, meaning that no actively documented exploits are known. The likely attack vector is a crafted URL or input that causes the plugin to reflect the unsanitized user‑supplied data back to the victim in a browser. Implementation of malicious scripts would then execute in that browser session.