The WP Easy Poll plugin for WordPress suffers from an improper neutralization of input during web page generation, allowing reflected cross‑site scripting. An attacker can construct a URL or provide input that the plugin processes and outputs without proper sanitization, injecting malicious JavaScript that runs in the victim’s browser. While the CVE description does not enumerate specific outcomes, based on the nature of reflected XSS and typical attack vectors, it is inferred that an attacker could potentially hijack sessions, steal cookies, or deface the site, thereby compromising confidentiality and integrity of user data.

The vulnerability affects all WP Easy Poll releases up to and including version 2.2.9. This includes installations from aviplugins.com on WordPress sites. No further version constraints are specified in the data.

The CVSS score of 7.1 indicates a high severity, but an EPSS score of less than 1% shows the exploitation likelihood is currently very low. The vulnerability is not listed in CISA’s KEV catalog, suggesting no documented widespread exploitation. The exploit would likely be carried out remotely by delivering a crafted link to a victim who visits a WordPress site that includes the affected plugin, allowing code execution in their browser.