The vulnerability is an improper neutralization of user input that results in reflected cross‑site scripting (XSS). An attacker can supply malicious code that is echoed back into the web page, enabling the execution of arbitrary JavaScript in the victim’s browser. This can lead to credential theft, session hijacking, or the delivery of phishing attacks. The weakness is identified as CWE‑79. The impact is limited to the scope of the affected WordPress installation and the browser of any user interacting with the vulnerable page, but it can be leveraged for social engineering or remote code injection in the context of the site’s user base.

The issue affects the Mortgage Calculator BMI Adult & Kid Calculator WordPress plugin in all releases from the earliest available through version 1.2.2. Any WordPress site running this plugin without an upgrade to a higher version is potentially vulnerable.

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests that, as of the time of analysis, the probability of exploitation is low but not negligible. The vulnerability is not listed in the CISA KEV catalog, indicating no widespread public exploitation has been reported. Attack vectors are inferred to be user‑controllable web requests that include specially crafted query parameters or form data, causing the plugin to echo the input without proper encoding. The requirement for victim interaction (e.g., clicking a crafted link) limits the attack surface but still presents a realistic risk for sites that receive untrusted input.