The vulnerability is a reflected cross‑site scripting flaw that was improperly neutralized during web page generation. An attacker who can craft a malicious input that is subsequently reflected in the browser may be able to execute JavaScript in the context of an authenticated or unauthenticated user’s browser session. This could lead to session hijacking, credential theft, or defacement of the victim site. The weakness is classified as CWE‑79.

The flaw affects the WordPress plugin Track, Analyze & Optimize by WP Tao developed by Michal Jaworski, in all releases from the earliest listed version through version 1.3 inclusive. WordPress sites that have this plugin installed and enabled and that allow unauthenticated or authenticated visitors to access the affected endpoints are at risk.

The CVSS v3.1 base score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is not widespread yet. The vulnerability is not currently listed in the CISA KEV catalog, so large‑scale active exploitation is not documented. Attackers can exploit the flaw by embedding a malicious script in a URL or input that the plugin reflects back to the page. Authentication is not required in order to trigger the reflected payload, though the attacker's access level determines the damage that can be achieved.