Improper neutralization of input in FireDrum Email Marketing results in a reflected XSS flaw that allows attackers to inject malicious scripts into pages served to users. The vulnerability is triggered when untrusted data from query parameters or user input is echoed back without sanitization, which can lead to client‑side script execution and compromise confidentiality, integrity, and availability for the affected user’s browser session.

WordPress sites that have the FireDrum Email Marketing plugin version 1.64 or earlier installed. All installations of this plugin through version 1.64 are vulnerable, regardless of configuration or usage context.

The CVSS score of 7.1 classifies the vulnerability as high severity, while an EPSS score of less than 1% indicates a very low probability of commercial exploitation at this time. The flaw is not currently listed in CISA’s KEV catalog, suggesting no known widespread attacks. Attackers are likely to exploit the vulnerability by crafting a malicious URL or form submission that includes injected script content, which is reflected in the response and executed in the victim’s browser. No specific system privileges are required beyond accessing the vulnerable plugin’s endpoints.