The flaw is an improper neutralization of input during web page generation, categorized as CWE‑79. The Search engine keywords highlighter plugin for WordPress accepts user‑provided search terms and reflects them back in the page without encoding. Based on the description, it is inferred that the plugin receives these terms via query strings or form inputs and echoes them unescaped. This allows an attacker to inject scripts that execute in the browsers of users who view the affected pages, potentially enabling session hijacking, defacement, or credential theft.

This issue impacts the WordPress plugin Search engine keywords highlighter from its earliest available release through version 0.1.3. Any WordPress installation with a vulnerable version of the plugin is susceptible, regardless of site configuration or user privileges.

The CVSS score of 7.1 marks the flaw as high severity, while the EPSS score is under 1 %, indicating a low but non‑zero probability of exploitation. It is not listed in the CISA KEV catalog, suggesting no known widespread attacks. Based on the description, the attack vector likely involves an attacker embedding malicious JavaScript into a crafted URL or search input that, when used by a visitor, causes the script to execute in that visitor's browser.