The vulnerability is an instance of Improper Neutralization of Input During Web Page Generation, which allows an attacker to inject and execute arbitrary JavaScript in the context of the victim’s browser. The issue manifests as reflected XSS, meaning the malicious code is embedded in a request that is returned unfiltered by the plugin and displayed to the user. This can lead to cookie theft, session hijacking, site defacement, or redirection to malicious sites.

The affected software is the Finale Lite plugin created by Daman Jeet, used in WordPress installations. All versions up to and including 2.20.0 are affected; no later releases have been listed as vulnerable in the advisory.

The CVSS score of 7.1 classifies this vulnerability as High, indicating significant impact if exploited. With an EPSS score of less than 1%, the likelihood of real‑world exploitation is currently low, but the presence of reflected XSS means it can be triggered via crafted URLs or form inputs that are reflected back to the user. The vulnerability is not listed in the CISA KEV catalog, so no known public exploits are currently documented. If an attacker successfully exploits the flaw, they can run arbitrary client‑side code in the victim’s browser, potentially leading to credential compromise or further phishing attacks.