The vulnerability is a reflected cross‑site scripting flaw that allows an attacker to inject arbitrary JavaScript into pages served by the miunosoft Task Scheduler plugin. The flaw stems from improper neutralization of input during web page generation and is classified as CWE‑79. An attacker can trick a user into visiting a crafted URL, causing scripts to run with the user’s privileges. The specific consequences such as session hijacking, data theft, or defacement are inferred but not explicitly stated in the CVE description.

miunosoft Task Scheduler plugin, used in WordPress sites, versions up to and including 1.6.3. The issue affects all installations of the plugin from the earliest version through 1.6.3; site administrators using this plugin should verify and upgrade when possible.

The CVSS score of 7.1 indicates moderate to high severity. The EPSS score is less than 1 %, suggesting the exploitation probability is low at present, but the vulnerability exists in a public‑facing plugin and the exploit path is straightforward. The vulnerability is not listed in the CISA KEV catalog, yet its nature allows attackers to execute payloads during normal site use, making it a useful tool for phishing or malware delivery. The attack vector is inferred as remote via a constructed URL that includes malicious query parameters, with no authentication required.