The Oracle Cards Lite plugin written by emotionalonlinestorytelling contains an improper neutralization of user input during web page generation, resulting in a reflected XSS vulnerability that can be triggered by supplying malformed data in a request. Attackers could craft a URL containing malicious JavaScript and embed it in a link, which, when clicked by a victim, causes the browser to execute the script in the context of the site. This may lead to session hijacking, cookie theft, defacement, or the delivery of further malware.

The vulnerability affects the Oracle Cards Lite WordPress plugin versions up to and including 1.2.1. Site administrators should verify the currently deployed plugin version and note that any installation of version 1.2.1 or earlier is susceptible.

The CVSS score of 7.1 indicates a high severity of the flaw, yet the EPSS score of less than 1% suggests that exploitation is currently unlikely to occur in the wild. The vulnerability is not listed in the CISA KEV catalog, indicating that, as of now, it has not been documented as being exploited on a large scale. Attackers can exploit the flaw by sending victims to a specially crafted URL that contains the malicious payload; this requires a user to interact with the link, though no privilege escalation is needed. The overall risk is moderate, with a potentially significant impact if an attacker successfully lures a user to the crafted link.