The Sequel WordPress plugin, version 1.0.11 and earlier, suffers from improper neutralization of input during web page generation. This flaw allows an attacker to inject and execute arbitrary JavaScript in the victim’s browser. The impact is that the compromised user session can be hijacked, defaced, or used to run malicious code within the trusted context of the site. The vulnerability is classified as CWE‑79, a reflected cross‑site scripting weakness.

The vulnerable code exists in the WordPress plugin Sequel distributed by Introvoke Inc. dba Sequel.io. All releases from the initial launch through version 1.0.11 are affected; no further build or patch information is provided. Sites that have installed or upgraded this plugin before the 1.0.12 release are at risk.

The CVSS score of 7.1 indicates a high severity for vulnerability exploitation. The EPSS score of < 1% shows that the likelihood of real‑world exploitation is very low. This entry is not listed in CISA’s KEV catalog. The attack likely proceeds by placing malicious script into a URL parameter or input field that the plugin renders. When a user, authenticated or not, processes the affected page, the payload runs in the browser without requiring elevated privileges or special conditions. Because the flaw is reflected, the victim’s browser will execute the payload without further interaction.