The Connector to CiviCRM with CiviMcRestFace plugin contains an improper neutralization of input during web page generation, classified as Cross‑Site Scripting (CWE‑79). When a user visits a crafted page that includes unsanitized data returned by the plugin, the browser will execute injected JavaScript in the victim’s context. This flaw can lead to theft of session cookies, defacement, and the execution of arbitrary background scripts that influence data confidentiality, integrity, and availability for users and administrators alike.

The vulnerability affects the WordPress Connector to CiviCRM with CiviMcRestFace plugin version 1.0.8 and earlier. The plugin is developed by Jaap Jansma and integrated as a connector for CiviCRM within WordPress sites. All installations referencing any released version from the predecessor through 1.0.8 are susceptible.

With a CVSS score of 7.1 the flaw is considered high severity. The EPSS score of less than 1% indicates a very low but non‑zero likelihood of exploitation in the wild, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is inferred to be through a reflected query parameter or form field, where user input is displayed back without proper escaping. If an attacker can influence the input—such as via a malicious link or crafted request—they can trigger the XSS in the context of each authenticated or unauthenticated visitor. The risk remains significant for sites that rely on this connector to host or display user‑generated data.