The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are reflected back to users who view affected pages. The plugin can be tricked into echoing arbitrary JavaScript, which could lead to cookie theft, session hijacking or defacement of the site. The weakness falls under the well‑known XSS vector and can undermine the confidentiality, integrity, and availability of the site for visitors who interact with the affected input fields.

The WordPress Time Sheets plugin developed by mrdenny is affected. Versions 2.1.3 and all earlier releases carry the flaw and must be updated to a version later than 2.1.3.

The CVSS score of 7.1 indicates a high severity, but the EPSS score of less than 1 percent shows that the likelihood of widespread exploitation is currently low and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves crafting a malicious link or form that includes a user‑controlled query parameter; when a victim clicks the link or submits the form, the plugin reflects the unsanitized input back to the page, executing the embedded script. Because the flaw requires attacker‑controlled input to be rendered, an active web attack through the plugin’s front‑end is the most probable exploitation path.