Improper Neutralization of Input During Web Page Generation, also known as reflected XSS, is present in thhake Photo Express for Google plugin versions up to and including 0.3.2. The vulnerability allows an attacker to inject malicious JavaScript that is executed in the browser of any user who visits a specially crafted URL, potentially leading to cookie theft, session hijacking, or arbitrary code execution within the victim’s session store.

The affected product is the WordPress plugin thhake Photo Express for Google, versions ranging from the initial release through 0.3.2. Any WordPress site that has this plugin installed and has not upgraded beyond 0.3.2 falls under risk.

The vulnerability has a CVSS score of 7.1, indicating moderate severity, and an EPSS score of less than 1%, showing a low probability of exploitation at this time. It is not listed in CISA’s KEV catalog. The likely attack vector is a reflected XSS attack whereby an attacker crafts a malicious link containing a query string or path parameter that is not sanitized. A target user clicking the link would receive the malicious script in their browser context, which can then perform actions such as reading session cookies, modifying the DOM, or stealing credentials. The attack requires social engineering or a compromised user capable of visiting the crafted URL.