The vulnerability is a CWE‑79 Exploit, an improper neutralization of input during web page generation that allows reflected cross‑site scripting. Because unsanitized parameters are echoed back in the plugin's output, an attacker can embed malicious JavaScript in a crafted request. If a victim user visits the forged URL, the script runs in the victim's browser, potentially stealing session cookies, defacing the site, or redirecting to phishing destinations. This flaw permits exploitation without authentication but requires the victim to view the injected content and is thus limited to the scope of user interaction.

Somonator Terms Dictionary, a WordPress plugin that provides dictionary functionality, is affected. The flaw exists in all versions up to and including 1.5.1. Users running any release from the initial launch up to 1.5.1 are potentially vulnerable until an update is applied.

The flaw carries a CVSS score of 7.1, indicating a high severity due to client‑side impact. The EPSS score is below 1 %, suggesting a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a reflected request to a vulnerable page with a crafted query string or form input. An attacker must persuade a victim to click a malicious link or submit a crafted form; no authentication or elevated privileges are required.