Improper neutralization of input in the Team Rosters plugin creates reflected cross‑site scripting that can execute arbitrary JavaScript in the browsers of users who load affected pages. This flaw permits attackers to inject malicious scripts capable of stealing session cookies, defacing sites, or redirecting users to phishing pages, thereby compromising user confidentiality, integrity, and availability of the website interface.

The vulnerability exists in Mark O’Donnell’s Team Rosters WordPress plugin for versions up to and including 4.7. Any WordPress site that has installed or is actively using the plugin within this version range is potentially exposed.

The CVSS score of 7.1 indicates a high severity for users who are not properly protected. The EPSS score of less than 1% shows that active exploitation is currently low, and the vulnerability is not listed in CISA’s KEV catalog. A likely attack vector is a reflected XSS payload passed through a plugin form or GET parameter, which, if reflected without sanitization, will execute in the context of the victim’s browser. An attacker would need to attract a vulnerable user to a crafted link or page to trigger exploitation.