The bingu replyMail WordPress plugin contains an improper neutralization of input during web page generation that allows attackers to store malicious script code. The stored payload is rendered unchanged on pages generated by the plugin, causing it to execute in the browsers of visitors who view those pages.

Affected sites are WordPress installations that use bingu replyMail plugin versions 1.2.0 or earlier. The vulnerability applies to all releases of the plugin up to this version, with no minimum version specified; any installation with a version in that range remains at risk.

The flaw receives a CVSS score of 7.1, indicating high severity, while an EPSS score of less than 1% suggests that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to submit content containing malicious scripts through the plugin’s input interface; based on the description, it is inferred that the likelihood of a successful attack depends on whether that endpoint is publicly reachable or restricted to certain user roles.