This vulnerability occurs because the Web Directory Free plugin does not properly neutralize user‑supplied input before inserting it into a web page. When an attacker places malicious script code in a query parameter, the plugin echoes it back unescaped, allowing reflected cross‑site scripting. The weakness is classic input validation failure, classified as CWE‑79. If a victim follows a crafted URL, arbitrary JavaScript can execute in their browser, potentially compromising that session. The effect is confined to the victim’s browser session and depends on the user visiting the malicious link.

WordPress sites that include the Shamalli Web Directory Free plugin of version 1.7.8 or earlier are affected. Any installation that has not been upgraded beyond the stated maximum version remains vulnerable.

The CVSS score of 7.1 indicates moderate to high severity, and the EPSS score of less than 1% shows that exploitation opportunities have been observed but are currently rare. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by sending a crafted URL containing the malicious payload to a legitimate user; upon visiting, the script runs in the user’s browser. The low EPSS suggests that the risk of widespread exploitation is currently small, but the potential impact warrants timely remediation.