This vulnerability arises from improper neutralization of input during web page generation in the Mobile Smart WordPress plugin. When a malicious user supplies crafted data in a URL that is reflected back by the plugin without sanitization, the data is embedded into the page’s HTML, allowing scripts to execute in the context of authenticated or anonymous visitors. This can lead to theft of user credentials, defacement, or session hijacking, and impacts both confidentiality and integrity of site data.

The affected product is the dolby_uk Mobile Smart plugin for WordPress, versions up to and including 1.3.16. All installations of these versions that allow the handling of user‑generated query parameters are susceptible.

The CVSS score of 7.1 indicates a high severity issue, while the EPSS score of less than 1% shows current exploitation probability is low but non‑zero. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a reflected XSS that requires the attacker to craft a URL containing malicious payloads and entice a victim to visit that URL. The vulnerability can be exploited without any special privileges, simply by sending the crafted link to a target user.