The reported issue is an improper neutralization of input during web page generation that allows an attacker to inject malicious scripts. The vulnerability is a reflected Cross‑Site Scripting flaw, classified as CWE‑79, which enables attackers to execute client‑side code in the victim’s browser when they load a crafted URL or form response. This can lead to session hijacking, content theft, or defacement, affecting confidentiality, integrity, and availability of the WordPress site.

WordPress sites running the Kingdom Creation Media Folder plugin version 1.0.0 or earlier are susceptible. The plugin is distributed as a WordPress plugin, and the vulnerability exists across all installations that have not been updated beyond that version, regardless of WordPress core version.

The CVSS score of 7.1 indicates a moderate to high severity, while the EPSS score of less than 1 % shows a low probability of exploitation so far. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely a remote web request that includes malicious input reflected back in the HTML output; no specific conditions are mentioned, so any user with access to the affected page can craft a payload. Attackers could use this to run arbitrary JavaScript in the victim’s browser.