The vulnerability is an instance of improper neutralization of input during web page generation, allowing an attacker to inject and execute arbitrary JavaScript code in the browser of a user who views a contaminated page. The specific weakness, classified as CWE‑79, can be leveraged to steal session cookies, deface the site, or redirect users to malicious domains. Because the exploit relies on reflected input, it does not require persistent changes to the site’s codebase, making it relatively easy to trigger if the vulnerable code path is accessible.

WordPress installations that have the dev02ali Easy Post Duplicator plugin version 1.0.1 or earlier installed are affected. No other plugins or WordPress core versions are impacted by this flaw.

The CVSS score of 7.1 places this issue in the high‑severity range. The EPSS score is listed as less than 1 %, suggesting that, while exploitation is possible, it is not currently widespread in the wild. The vulnerability is not listed in the CISA KEV catalog, which also indicates an absence of known large‑scale exploits. The likely attack vector is remote via a malicious link or form that a user clicks or submits, after which the injected script runs in the victim’s browser.