The vulnerability is a reflected XSS flaw as indicated. Based on the description, it is inferred that improper neutralization of user‑supplied input occurs when generating web pages by the Auto Login After Registration plugin. This allows an attacker to insert malicious scripts into the registration or auto‑login flow, causing them to execute in the context of any user who visits the vulnerable page. This can lead to session hijacking, data theft, or defacement without needing higher privileges on the site. The weakness is classified as CWE‑79.

The flaw exists in the Auto Login After Registration plugin developed by Cynob IT Consultancy, affecting all releases from the first version up to and including 1.0.0. Any WordPress site that has this plugin installed is vulnerable, regardless of theme or other plugins.

The CVSS score of 7.1 indicates a high impact, while the EPSS score of less than 1% suggests that current exploitation probability is low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation requires a user to visit a crafted URL or submit a tampered registration request, so it is a browser‑side reflected XSS requiring no authentication or privilege escalation. The likely attack vector is a crafted URL or tampered registration submission, exposing sites running an old plugin version until an update is applied.