The vulnerability arises from improper neutralization of user input during web page generation in the Penci Bookmark & Follow plugin, enabling attackers to inject and execute arbitrary scripts when a victim follows a crafted link. This reflected XSS allows malicious code to run in the victim's browser, potentially leading to session hijacking, defacement, or credential theft. The weakness is identified as CWE‑79.

The issue affects the WordPress Penci Bookmark & Follow plugin from all released versions prior to 2.4. Users running any of those versions are susceptible. The vulnerability range covers from the earliest release up to any version less than 2.4.

With a CVSS score of 7.1 the vulnerability is considered high severity, indicating significant impact even with a low exploitation probability. The EPSS score of less than 1% suggests that, at present, the likelihood of exploit activity is low, and the vulnerability is not catalogued in CISA’s KEV. Attackers could leverage the reflected XSS by crafting a malicious URL or form input and persuading a target user to visit the link, which will execute injected JavaScript within the context of the site. No complex prerequisites are required beyond the ability to influence the victim’s browser.