The vulnerability is an improper neutralization of input during web page generation that allows a reflected cross‑site scripting attack. An attacker could inject malicious script into the plugin’s output, causing unsuspecting users’ browsers to execute the code. This can lead to theft of session tokens, credential hijacking, defacement of content, or redirection to malicious sites, thereby impacting the confidentiality, integrity, and availability of the affected WordPress site.

The issue affects the Stefan M. SMu Manual DoFollow plugin on WordPress versions that use the plugin from the earliest release through version 1.8.1. Any WordPress installation with this plugin installed and enabled is potentially vulnerable.

The CVSS score of 7.1 indicates a high severity with a significant potential for damage. However, the EPSS score of less than 1% suggests that exploitation for this weakness is currently unlikely. The vulnerability is not flagged in the CISA KEV catalog. An attacker would need a user to visit a crafted URL that includes the vulnerable parameter, making the attack distance local and requiring social engineering or compromised content to lure users. If an attacker can control the content sent to the victim, they could amplify the impact by embedding malicious scripts that target the user’s session or credentials.