The vulnerability is an Improper Neutralization of Input During Web Page Generation that enables attackers to inject any HTML or JavaScript when the plugin processes user data. Because the WP Super Edit plugin does not sanitize reflected inputs, an attacker can craft a malicious URL or submit a form that will cause the victim’s browser to execute attacker‑controlled script. The impact is the ability to steal credentials, deface the site, or execute additional malicious actions in the context of the victim, without requiring any further privileges.

The flaw exists in the Ahmad Awais WP Super Edit plugin for WordPress versions up to and including 2.5.4. Any WordPress site that has installed this version of the plugin is at risk. The specific vendor and product name can be found in the WordPress plugin repository, though no CPE strings are listed in the CVE data.

The CVSS base score of 7.1 signifies high severity. The EPSS score of less than 1% indicates a very low probability of exploitation at present. The vulnerability is not referenced in the CISA KEV catalog. The likely attack vector is a reflected XSS scenario, where an attacker crafts a malicious link or form that the plugin echoes back to a victim’s browser. An attacker would need to lure a user to the crafted URL or submit the malicious input, which typically requires social engineering in a web‑browser environment.