The vulnerability is an example of Improper Neutralization of Input During Web Page Generation, allowing an attacker to inject malicious script into the output of the Blue Captcha plugin. If an attacker can alter the content of a request that the plugin reflects back to a browser, the script will execute in the context of the victim’s session, potentially permitting cookie theft, session hijacking, defacement, or the delivery of additional malware. The weakness falls under CWE‑79, indicating insufficient input validation and output encoding.

The vulnerability affects the Blue Captcha plugin released by the vendor jotis. All installations of the plugin from the earliest available version up to and including version 1.7.4 are known to be susceptible, regardless of the WordPress core version they run on.

The CVSS score of 7.1 classifies the issue as high severity; however, the EPSS score of less than 1% suggests that exploitation is currently uncommon or not widely observed. The vulnerability is not listed in the CISA KEV catalog. Based on the nature of reflected XSS, the likely attack vector is a crafted web request that a victim inadvertently follows, such as a malicious link sent via email or embedded in a social media post. Successful exploitation requires the victim to load the reflected data in a browser that supports JavaScript, which many users do. No elevated privileges or server‑side access are required beyond the ability to reach the vulnerable page.