This flaw stems from an improper neutralization of user input during web page rendering, exposing the Easy Form plugin to reflected cross‑site scripting. A malicious actor can inject crafted payloads into form or URL parameters that the plugin echoes back to the browser, enabling the execution of arbitrary JavaScript in the victim’s context. Such execution may steal session cookies, manipulate page content, or redirect users to phishing sites, thereby compromising confidentiality, integrity, or availability of user data entrusted to WordPress sites.

The vulnerability is present in the Easy Form plugin for WordPress distributed by Ays Pro, from the earliest unreleased revision through version 2.6.9 inclusive. Users of any WordPress site that have installed or activated this plugin in those versions are directly impacted.

The CVSS score of 7.1 places the flaw in the high‑severity range, and the EPSS score of <1% indicates a very low likelihood of widespread exploitation as of the data snapshot. The flaw is not listed in the CISA KEV catalogue, suggesting no confirmed exploitation at this time. Attackers would likely construct a malicious link or form submission with injected script, and a victim who clicks or submits the crafted input would trigger execution in the victim’s browser. The impact is confined to the scope of the affected user’s session context.