This vulnerability manifests as a reflected cross‑site scripting flaw in the WP Bookmarks plugin, enabling attackers to inject malicious JavaScript into a victim’s browser session when a crafted URL is visited. The flaw arises from improper neutralization of user input during page rendering. Successful exploitation can lead to session hijacking, cookie theft, defacement, or the execution of arbitrary client‑side code, compromising confidentiality, integrity, or availability of the web application from the user’s perspective.

The affected product is the WordPress WP Bookmarks plugin developed by conlabz GmbH, with all releases up to and including version 1.1. WordPress sites that have not been updated to a newer revision of the plugin are at risk.

The CVSS base score of 7.1 indicates high severity, while the EPSS score of less than 1% suggests a low but non‑zero probability of exploitation in the wild. The flaw is classified as reflected XSS, meaning it can be triggered by any user who follows a malicious link, so the attack vector is remote and does not require pre‑authentication. Although this vulnerability is not listed in the CISA KEV catalog, it remains a valuable target for automated or credential‑less attacks, warranting timely patching.