The vulnerability is a reflected cross‑site scripting flaw in the Stop Registration Spam WordPress plugin version 1.24 and earlier, arising from inadequate sanitization of user‑supplied input during web page generation. An attacker can embed arbitrary JavaScript in a crafted URL that the plugin directly reflects back to the user’s browser. Successful exploitation results in the execution of attacker‑controlled code in the context of the site, enabling session hijacking, theft of user credentials, defacement of the page, or diverting users to malicious destinations. This type of flaw is identified as CWE‑79 and typically targets users who are tricked into clicking a malicious link or submit a request containing injected script payloads.

The affected product is Tomroyal’s Stop Registration Spam WordPress plugin, with all releases labeled 1.24 or earlier. The vulnerability spans from the initial release through version 1.24, affecting any WordPress installation that has installed or enabled the plugin during that period. Any environment using a vulnerable version of the plugin is susceptible, regardless of the site administrator’s privileges or the server configuration.

The overall CVSS score of 7.1 indicates a moderate to high severity, while an EPSS score of less than 1% suggests that the probability of exploitation is currently low, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is through a maliciously crafted link or form submission that the plugin does not properly escape, requiring the victim to load that URL in their browser. An attacker could also target site visitors by embedding a dangerous script in external links or social media posts. Because the flaw is client‑side, the impact is limited to the victim’s browser session unless additional content injection or credential theft mechanisms are involved.