The vulnerability is an improper neutralization of input during web page generation that permits reflected XSS in the WordPress "Access Areas" plugin. It is classified as CWE‑79. When an attacker supplies a crafted value to a vulnerable parameter, the value is returned to the browser without sufficient sanitization, enabling arbitrary script execution in the victim’s browser context. This can lead to session hijacking, credential theft, or malicious content injection but remains limited to the user’s browser, rather than providing direct access to the server or other users’ data.

WordPress installations that use the "Access Areas" plugin from podpirate, specifically all versions up to and including 1.5.19. No specific PHP or WordPress core version constraints are listed, so the flaw applies to any site running a vulnerable plugin version.

The CVSS base score is 7.1, indicating a high level of risk because the flaw is exploitable remotely and can compromise confidentiality at the browser level. The EPSS score is less than 1%, suggesting that, despite its severity, the likelihood of real‑world exploitation is low at the moment. The flaw is not listed in the CISA KEV catalog, and there is no known widespread exploitation. An attacker could leverage the vulnerability by constructing a URL or form that includes crafted input; any user who visits the URL or submits the form would have the malicious script executed in their browser.