Improper Neutralization of Input during web page generation allows attackers to inject malicious scripts that execute in the browsers of site visitors. The reflected XSS flaw can lead to theft of authentication cookies, session hijacking, defacement of web pages, or execution of arbitrary code in the context of the site. The flaw is defined by the CWE-79 weakness and carries a CVSS score of 7.1, indicating high severity for confidentiality, integrity, and availability of the web application.

The vulnerability affects the WordPress plugin WPCode Content Ratio developed by Jonatan Jumbert. All plugin releases up to and including version 2.0 are vulnerable. Systems running older or later versions remain unaffected.

The EPSS score of less than 1% suggests that widespread exploitation is unlikely, and the flaw is not currently listed in the CISA KEV catalog. However, the vulnerability can be triggered simply by delivering a crafted URL or input to an unauthenticated user, making it easily exploitable by anyone who can lure a victim to the site. Given its high CVSS score and public awareness, administrators should treat this flaw as a high‑priority issue.