Improper neutralization of input during web page generation results in a reflected Cross‑Site Scripting vulnerability. The AT Internet SmartTag plugin fails to sanitize user input, allowing malicious scripts to be inserted into the page that is delivered to a victim. An attacker capable of crafting a malicious URL or input can cause the victim’s browser to execute arbitrary JavaScript, potentially enabling session hijacking, credential theft, or defacement purposes. This flaw is classified as CWE‑79.

The vulnerability is found in the BenDlz AT Internet SmartTag WordPress plugin. All releases from the earliest version up to and including 0.2 are impacted. Users running any of these plugin versions on a WordPress site should consider them vulnerable until the issue is resolved.

The CVSS base score of 7.1 denotes a high severity reflected XSS vulnerability. The EPSS score of less than 1% indicates a low likelihood of exploitation on a global scale, but because the flaw is user‑controlled input, an attacker could target individual sites with minimal effort. The vulnerability is not listed in the CISA KEV catalog, so there are no confirmed large‑scale exploitation incidents at this time. An attacker with access to a public URL could launch the exploit, so protection requires stalling the malicious input or removing the vulnerable plugin entirely.