Improper neutralization of input during web page generation allows an attacker to inject malicious scripts when the Simple Email Subscriber plugin renders a page, leading to reflected XSS. An attacker can embed arbitrary JavaScript that executes in the victim’s browser, enabling cookie theft, session hijacking, defacement, or the delivery of further attacks. The weakness is a classic input‑validation flaw (CWE‑79) that can compromise confidentiality and integrity of data viewed by users.

The vulnerability affects the Simple Email Subscriber plugin by phil88530 with version numbering up to and including 2.3. All releases up to that point lack the necessary input sanitization and are considered impacted. No later versions are mentioned as affected, so a precise cut‑off at 2.3 should be observed.

The CVSS score of 7.1 places this issue in the medium‑to‑high severity range. The EPSS score is reported to be below 1%, suggesting a low but non‑zero likelihood of active exploitation. It is not listed in CISA’s KEV catalog, indicating that no widespread, actively used exploits have been documented publicly as of the last update. The attack vector is inferred as a reflected XSS triggered through crafted input to the plugin’s interface, which an attacker can supply via a URL or form submission that is reflected in the web page.