The Fontsampler plugin contains an Improper Neutralization of Input During Web Page Generation (CWE‑79) flaw that allows a reflected cross‑site scripting (XSS) attack. An attacker can supply a crafted URL or form input that is reflected into an HTML response without proper sanitization. This permits the injection of arbitrary JavaScript, which could deface the site, steal user credentials or cookies, or pivot to other attack vectors. While the vulnerability does not expose direct remote code execution, the impact on confidentiality and integrity of site users can be significant.

The WordPress Fontsampler plugin from kontur, with all releases up to and including version 0.4.14, is affected. Any WordPress site that has this plugin installed and in one of those versions is potentially vulnerable.

The CVSS base score of 7.1 categorizes this vulnerability as high severity. The EPSS score of less than 1% indicates that exploitation is unlikely in the near term. The flaw allows an attacker to craft a malicious link or form submission that, when accessed by a victim, injects arbitrary JavaScript into the page. The attack does not require elevated privileges or server compromise, and its impact is limited to the victim’s session, potentially enabling session hijacking, credential theft, or defacement. The vulnerability is not listed in the CISA KEV catalog.