The vulnerability arises from improper neutralization of user input, allowing a reflected Cross‑Site Scripting (XSS) vector. An attacker can supply malicious script payloads that are executed in the victim’s browser when the forged request reaches the plugin. This can lead to data theft, session hijacking, defacement of the site, or the execution of arbitrary JavaScript in the context of the site’s users.

The issue affects the undoIT Theme Switcher Reloaded WordPress plugin, versions from n/a through the 1.1 release. Any WordPress site that has installed a vulnerable version of this theme‑switcher plugin is at risk unless the plugin is updated or removed.

The CVSS score of 7.1 indicates a moderate to high severity, while the EPSS score of less than 1% signals that active exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely compromised in the wild yet. Based on the description, the likely attack vector is a reflected XSS through crafted requests that the plugin fails to sanitize before rendering. The attack requires an attacker to supply a malicious query parameter or form input and persuade or trick a user to visit the crafted URL, which is typically feasible via phishing or compromised external content.