The XmasB Quotes plugin contains a flaw that fails to neutralize user input before rendering it on a web page, allowing an attacker to inject arbitrary JavaScript that is then reflected back to a victim’s browser. When a specially crafted request reaches the plugin, the embedded script executes within the victim’s browser context, enabling the attacker to perform arbitrary actions such as modifying page content or reading data stored in the browser. The weakness corresponds to CWE‑79.

WordPress sites that have the XmasB Quotes plugin installed with a version of 1.6.1 or earlier are affected. The vulnerability applies to all releases from the plugin’s first version up through and including 1.6.1; any newer official releases are not listed as affected.

The CVSS score of 7.1 indicates a moderate to high severity for potential attackers, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. The flaw is not listed in the CISA KEV catalog. The most probable attack vector is via the public web interface; an attacker can craft a malicious URL or form that the plugin processes to trigger the reflected XSS. Exploitation requires the victim to visit the crafted link or submit the malicious form, and it does not provide server‑side access or data modification beyond the browser environment.