The Web2application plugin for WordPress contains an improper neutralization of user input during web page generation, allowing attackers to inject malicious scripts that are reflected back to the victim. This reflected cross‑site scripting flaw (CWE‑79) can lead to the execution of arbitrary JavaScript in the context of an authenticated or untrusted user, resulting in session hijacking, credential theft, or defacement of the site. The vulnerability is pronounced because the input is not sanitized before being rendered by the plugin’s output routines, giving an attacker immediate leverage through crafted URLs or form submissions.

All installations of the tzin111 Web2application plugin version 6.1 and earlier are impacted. The issue applies to WordPress sites that have not upgraded away from these vulnerable plugin releases.

The CVSS score of 7.1 indicates a high severity with moderate to high impact on confidentiality, integrity, and availability. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. However, because reflected XSS can be triggered via crafted URLs, any user who follows a malicious link could be affected. The attack vector is inferred as remote, relying on a victim’s browser rendering the malicious script, and requires no authentication. As no public proof‑of‑concept is linked, the threat remains theoretical but should still be mitigated promptly.