The Rankie WordPress plugin contains an improper neutralization of input during web page generation, resulting in reflected XSS. When an attacker places special characters or scripts in a request parameter that the plugin echoes back in the response, a victim’s browser will execute the malicious script. This can lead to theft of session cookies, account hijacking, defacement of the site, or execution of additional client‑side attacks such as credential phishing. The vulnerability is limited to client‑side code execution and does not allow arbitrary server‑side code execution.

The flaw affects the ValvePress Rankie plugin on WordPress installations. All installations of Rankie version 1.8.2 or earlier are vulnerable; newer releases are not impacted. Because Rankie is a third‑party plugin, any WordPress site that has the plugin installed and in use may be exposed.

The CVSS score of 7.1 indicates a moderate to high severity, mainly due to the ability to deface or hijack accounts. The EPSS score of less than 1% suggests that exploitation is unlikely at this time, and the vulnerability is not listed in CISA’s KEV catalog. Even so, the attack requires only a crafted link sent to a user, so an attacker can trigger the XSS by luring a target into visiting a malicious URL "outside the site". Mitigation is therefore urgent to protect users’ session data.