An improper neutralization of user input during web page generation in the WP Featured Screenshot plugin leads to a reflected cross‑site scripting vulnerability. Malicious payloads injected via query parameters or form submissions can execute arbitrary JavaScript in the context of a user’s browser when the plugin renders the requested page. This could enable attackers to steal session cookies, deface content, or redirect users to malicious sites, compromising the confidentiality, integrity, and availability of the website and its visitors.

Rico Macchi’s WP Featured Screenshot plugin, versions up to and including 1.3, is affected. The flaw exists in the plugin’s handling of input when generating previews or screenshots, permitting reflected XSS across all installations using the vulnerable versions.

The CVSS score of 7.1 indicates high severity, but the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The vulnerability is not yet listed in CISA KEV. Based on the description, the likely attack vector is a remote HTTP request targeting the plugin’s endpoints, where an attacker supplies malicious content that is reflected back in the page. If exploited, the attacker could execute arbitrary scripts in a victim’s browser during normal interaction with the site.