The vulnerability is an improper neutralization of input during web page generation that permits attackers to insert malicious scripts into the page. This reflected Cross‑Site Scripting (CWE‑79) flaw means that any user who visits a crafted URL or submits a specific value through the plugin’s form fields could trigger execution of attacker‑controlled code in the victim’s browser. Impact includes information theft, session hijacking, defacement, and the ability to perform further attacks from the victim’s session.

This flaw affects the WordPress plugin Contact Form 7 Editor Button, developed by arisoft. All versions from the beginning of the product up to and including 1.0.0 are vulnerable. WordPress sites that have installed or are running this plugin are therefore exposed.

The CVSS score of 7.1 places the vulnerability in the high‑severity range. The EPSS score of less than 1% indicates that the probability of exploitation at present is very low, and the flaw is not listed in the CISA KEV catalog. Likely attacks would involve an attacker creating a specially crafted form input or URL that is reflected back in the plugin’s output, allowing the script to run in the context of the user’s browser. Successful exploitation would require the user to visit the affected page; it does not provide remote code execution or server‑side compromise.