This vulnerability is an improper neutralization of input during web page generation; an attacker can inject malicious script that is reflected back to the victim’s browser, enabling the execution of arbitrary client‑side code. The injected script breaks out of the intended context and can be used to steal session cookies, deface the page, or redirect users to malicious sites. The weakness is a classic XSS flaw identified as CWE‑79.

The issue affects the WordPress Oppso Unit Converter plugin from version 1.1.1 and earlier. The plugin is distributed under the danbwb:Oppso Unit Converter vendor name and is commonly installed on WordPress sites that provide unit conversion functionality. Only those sites that have an exposed entry point handled by this plugin are vulnerable.

The CVSS score of 7.1 classifies this flaw as high severity, and the EPSS score of less than 1% indicates a low probability of exploitation at present. It is not listed in the CISA KEV catalog. The likely attack vector involves a malicious user crafting a URL or form that includes the reflected payload, then causing a legitimate user to visit that URL. Once the victim’s browser processes the reflected input, the attacker can run arbitrary code in the victim’s context. Because the flaw is not restricted to privileged users, any visitor who can trigger the plugin’s input handling is at risk.