An improper neutralization of input during web page generation allows a returned script to be executed in the browser of any visitor who accesses a compromised page. The reflected cross‑site scripting (XSS) flaw can be triggered by an attacker crafting a malicious URL that the ShareBang plugin does not correctly sanitize before echoing back. Once injected, the attacker could steal user credentials, perform actions under the victim’s account, or deliver malware.

The vulnerability affects the WordPress plugin ShareBang, Ultimate Social Share Buttons for WordPress released by themeinity. All versions up to and including 1.4 are impacted. The issue does not affect newer releases released after 1.4, if any.

The CVSS score of 7.1 indicates a high impact, while the EPSS score of less than 1% suggests that active exploitation in the wild is currently unlikely. The flaw is listed in the public advisory but is not part of the CISA KEV catalog. The most probable attack path involves an unauthenticated user clicking a crafted link; no privileged access is required. If exploited, the attacker gains the ability to run arbitrary client‑side code in the context of the victim’s browser session.