The vulnerability arises from improper neutralization of user-supplied input during the generation of a web page, enabling a reflected cross‑site scripting (XSS) flaw. An attacker can craft a request containing malicious script code that is returned in the page rendered by the Event Espresso – Custom Email Template Shortcode plugin. When a victim requests such a page, the embedded script executes in the victim’s browser, potentially allowing the attacker to steal session cookies, redirect the user to malicious sites, or inject harmful content.

The flaw affects WordPress installations that use the Event Espresso – Custom Email Template Shortcode plugin authored by Aakif Kadiwala, version 1.0.0 and earlier. No other versions are known to be vulnerable according to the current advisory.

The CVSS score of 7.1 denotes a high impact potential, while the EPSS score of <1 % suggests that only a small fraction of the overall deployment is likely to be actively exploited at any given time. The plugin processes user input that is subsequently reflected in the HTML output, so the attacker’s vector is a web‑based request that can be triggered remotely by any user. Because the vulnerability is not listed in the CISA KEV catalog, there is no documented exploitation yet. Based on the description, the likely attack vector is an attacker‑controlled input via a crafted URL or form that the plugin then exposes unescaped in the page.