The Dot html,php,xml etc pages plugin contains an improper neutralization of user‑controlled input during page generation. This flaw permits an attacker to inject and execute arbitrary JavaScript in the victim’s browser, enabling session hijacking, data theft, or defacement. The core weakness is a reflected XSS flaw, identified by CWE‑79, which compromises the confidentiality and integrity of information visible to the user. If an attacker can lure an end‑user to a crafted request, the victim’s browser will run malicious code, potentially handing over credentials or executing additional actions on behalf of the user.

The vulnerability exists in the karimmughal Dot html,php,xml etc pages plugin version 1.0 and earlier for WordPress sites. Site administrators who have installed any WordPress installation running this plugin (through version 1.0) are affected.

The CVSS score of 7.1 indicates high severity, but the EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it by directing a user to a crafted URL that includes malicious input; this client‑side attack requires user interaction. Because the flaw is reflected, the payload appears directly in the response, making detection and mitigation straightforward once a patch is applied.