The vulnerability is an improper neutralization of input during page generation that allows an attacker to inject malicious scripts into a page viewed by legitimate users. The reflected XSS flaw means that crafted input can be reflected in the resulting HTML, enabling the execution of attacker‑controlled code in the context of the targeted site. If exploited, an attacker could hijack user sessions, steal cookies, deface content, or redirect visitors to malicious sites.

The flaw affects the Themesgrove WidgetKit Pro WordPress plugin in all released versions up through 1.13.1. Any WordPress installation that uses this plugin version range is vulnerable. The affected product is identified as WidgetKit Pro by the CNA, and no additional vendor or product pattern deviates from this listing.

The CVSS score of 7.1 indicates high severity, but the EPSS score is reported as less than 1% suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, so no known active exploitation campaigns are documented. Exploitation requires a victim to visit a page where the plugin’s output includes the attacker‑supplied input, meaning the attack is user interaction‑based and limited to site visitors. The risk to site operators remains moderate while users are at risk of script execution in their browsers.