WPglob’s Auto scroll for reading plugin processes input without sufficient neutralization in the generation of its web pages. The reflected cross‑site scripting flaw allows an attacker to inject arbitrary JavaScript into page content that a victim’s browser will execute without their knowledge. Such scripts can be used to steal session cookies, make unauthorized requests, or deface the site, thereby compromising confidentiality, integrity, and availability of the web application.

The vulnerability affects all installations of the WPglob Auto scroll for reading plugin whose version is n/a through 1.1.4. No other vendors or product families are listed as impacted.

The flaw carries a CVSS score of 7.1, indicating a high impact if exploited, but the EPSS score is reported as less than 1%, suggesting a very low likelihood of exploitation in the wild. It is not flagged in CISA’s KEV catalog. Attackers can exploit the weakness remotely by crafting a URL or form input that is reflected in the page output. The absence of authentication or privilege requirements means any web visitor can be abused if they view a malicious link. Because the issue is a reflected XSS, it can be triggered from an external source that a site exposes to users.