The List Urls WordPress plugin (up to version 0.2) contains an improper neutralization of input during web page generation vulnerability that allows reflected XSS. An attacker who can supply crafted request parameters can cause the plugin to echo those parameters without proper escaping, leading to arbitrary script execution in a victim’s browser. This could enable credential theft, session hijacking, or malicious site defacement. The vulnerability is a client‑side XSS flaw (CWE‑79).

WordPress sites running the graphems List Urls plugin with versions 0.2 or earlier. The vulnerability affects all releases from the earliest available version up to and including 0.2.

The CVSS score of 7.1 rates the flaw as high severity, while the EPSS score of <1% indicates a low probability of exploitation at present. The flaw is not listed in CISA’s KEV catalog. Exploitation likely requires the attacker to convince a user to visit a crafted URL or submit a malicious form, enabling the reflected payload to execute in the user’s browser. Given the client‑side nature of the attack, no local privileges are necessary, and the impact depends on the victim’s trust level. With the low EPSS and absence from KEV, the risk remains moderate, but the high CVSS warrants an immediate patch.