The WordPress "Theme Blvd Widget Areas" plugin contains a reflected Cross‑Site Scripting flaw due to improper neutralization of user input during web page generation. When an attacker crafts a request that includes malicious payloads, the plugin reflects that input back into the page output without adequate sanitization, allowing execution of arbitrary JavaScript in the victim’s browser. This can lead to credential theft, session hijacking, or malicious content injection, compromising user confidentiality and integrity.

The vulnerability applies to all installations of the Jason Theme Blvd Widget Areas plugin from its initial release up to and including version 1.3.0. No specific patch version is listed, so any deployment numbered 1.3.0 or earlier is considered vulnerable.

The reported CVSS score of 7.1 indicates a moderate‑to‑high risk level, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote attacker sending a crafted URL or form input that the plugin processes and reflects back, enabling XSS execution in the context of an authenticated or unauthenticated visitor. No additional conditions or privileges are required beyond the ability to deliver a request to the vulnerable plugin.