This vulnerability is an instance of Improper Neutralization of Input During Web Page Generation, allowing attackers to inject malicious scripts into a user’s browser when a specially crafted URL is visited. The reflected nature of the XSS means the attack payload is echoed directly in the response page, enabling hijacking of user sessions, disclosure of sensitive information, or defacement of content. The weakness is classified as CWE-79 and can be exploited through typical web‑based attack vectors such as user‑visible links or search queries.

The MX Time Zone Clocks plugin for WordPress, developed by Maksym Marko, is vulnerable in all releases up to and including version 5.1.1. WordPress sites that have not upgraded beyond this version are at risk. No additional affected product versions are listed.

The CVSS score of 6.5 places this vulnerability in the medium severity tier, while the EPSS score of less than 1% indicates a low probability of exploitation under current conditions. It is not listed in the CISA KEV catalog, suggesting no known active exploitation. Attackers would most likely target the plugin via crafted URLs or malicious links that leverage the reflected XSS flaw to execute JavaScript in the context of the victim’s authenticated session.