The oik‑privacy‑policy plugin for WordPress, versions up to and including 1.4.10, contains an improper neutralization of user input bug that allows a reflected cross‑site scripting (XSS) attack. By crafting a URL or form entry containing malicious script, an attacker can cause the plugin to echo that input back into an HTML context without proper escaping. This enables arbitrary JavaScript to run in the victim's browser, potentially hijacking sessions, defacing the site, or delivering phishing content. The vulnerability is a classic reflected XSS flaw tied to CWE‑79 and impacts the confidentiality, integrity, and availability of the affected web application from the perspective of its visitors.

The affected product is the WordPress plugin oik‑privacy‑policy, developed by bobbingwide. All releases from the earliest available version through plugin version 1.4.10 are vulnerable. WordPress sites that have installed or are using any of those plugin versions are at risk.

The CVSS score of 7.1 places this vulnerability in the high‑severity range, indicating a significant potential impact if exploited. The EPSS score of less than 1% suggests that widespread exploitation is currently unlikely, but that does not eliminate the risk. This issue is not listed in the CISA KEV catalog, so there are no known widespread exploits in the public domain. The attack vector is clearly web‑based, requiring an attacker to supply malicious input via a URL or form that the plugin processes and reflects back. No additional privileges or authentication are needed to trigger the reflected XSS, and an active user session with the site can be compromised simply by visiting a crafted link.