The vulnerability is a Reflected Cross‑Site Scripting flaw that occurs when the plugin fails to neutralize user input properly before rendering it on a web page. Because the attacker can embed malicious JavaScript within a crafted URL, a victim who visits the URL will execute the script in their browser context, potentially stealing session cookies, defacing content, or executing further malicious actions. The affected code paths are limited to user‑controllable parameters that are reflected in the page output, so the impact is confined to the users who interact with the vulnerable page rather than the server itself.

The element exposed by this flaw is the WordPress plugin “Backup and Staging by WP Time Capsule” from the vendor revmakx. Versions from the initial release through the last known vulnerable version 1.22.23 are affected. Users of earlier releases or later patched versions are not impacted.

The CVSS score of 7.1 indicates a high severity level for a reflected XSS. However, the EPSS score is under 1 %, implying that the likelihood of this vulnerability being actively exploited in the wild is low. This issue is not listed in the CISA KEV catalog, further suggesting that it has not been targeted by known exploits to date. The attack vector is inferred to be remote and does not require authentication; a compromised or maliciously crafted link can deliver the payload to any user that visits the affected page.