Improper neutralization of user input during web page generation in the Feedify – Web Push Notifications plugin allows a reflected cross‑site scripting (XSS) vulnerability. An attacker can embed malicious JavaScript in reflected input fields or URLs, causing it to run in the browsers of any user who visits the crafted request. This can lead to theft of session cookies, credential hijacking, defacement, or the execution of other malicious actions within the victim’s context.

The affected product is the WordPress plugin Feedify – Web Push Notifications, produced by feedify. All plugin versions from the earliest published through version 2.4.5 are susceptible. Sites that have installed any of these versions are at risk.

The CVSS score of 7.1 indicates a high severity for this reflected XSS flaw, but the EPSS score of less than 1 % suggests that widespread exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a crafted URL or input that includes a malicious script; a vulnerability, not a privilege escalation, allows an unauthenticated or logged‑in visitor to trigger the injection. Given the lack of advanced prerequisites, the attack surface is broad but the low exploitation probability means immediate attention is still warranted.