Improper neutralization of input during web page generation leads to a reflected Cross‑Site Scripting (XSS) vulnerability. This flaw allows an attacker to inject arbitrary client‑side script into the page that is rendered for any user who views the page, enabling actions such as session hijacking, defacement, or phishing. The weakness is identified as CWE‑79 and affects the confidentiality and integrity of user sessions, potentially compromising credentials and trust in the site.

WordPress site operators using the xili‑tidy‑tags plugin from Michel – xiligroup dev must be aware that all versions up to and including 1.12.06 are vulnerable. The issue exists in the plugin’s processing of user‑supplied tags and is present in any installation of the plugin before the 1.12.07 release.

The CVSS score of 7.1 signals a high severity, while the EPSS score of less than 1 % indicates a very low likelihood of mass exploitation currently, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is client‑side; an attacker can craft a URL or input containing malicious script that is reflected back into the page without requiring authentication. Consequently, any visitor who loads the crafted link or interacts with the reflected input is at risk, with the primary impact being client‑side code execution and potential credential theft.