The vulnerability is an improper neutralization of input during web page generation that allows reflected cross‑site scripting within the Famous WordPress plugin. User‑supplied data that is echoed back to the browser can contain malicious scripts. Based on the description, it is inferred that an attacker could potentially execute arbitrary script code in the context of the user, which might lead to cookie theft or account hijacking, though such outcomes are not explicitly documented.

Any WordPress installation that includes LambertGroup’s Famous – Responsive Image And Video Grid Gallery WordPress Plugin version 1.4 or earlier is affected. All sites that have installed this plugin in a vulnerable version are at risk, regardless of other security controls or user roles.

The CVSS score of 7.1 indicates a moderate‑to‑high severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely to be widespread, and the vulnerability is not yet listed in CISA’s KEV catalog. The likely attack vector is a reflected request that injects malicious script via URL parameters or form fields processed by the plugin. Given the nature of reflected XSS, an attacker can execute arbitrary script code in the context of any site visitor or site administrator who loads a crafted URL or form submission.