In this vulnerability improper neutralization of input during web page generation allows a reflected cross‑site scripting flaw. When a victim accesses a URL that contains a malicious query or path segment, the plugin renders that data without adequate sanitization, causing the browser to execute the embedded script. The effect is that an attacker can run arbitrary JavaScript in the victim’s browser context. Based on the description, it is inferred that usual XSS consequences—such as session cookie theft, defacement, or phishing—could arise if the script compromises the user’s session or autocompletes credentials, although such specific outcomes are not detailed in the CVE data.

The flaw affects the Fidelo Snippet WordPress plugin developed by Fidelo Software GmbH. All released versions up to and including 1.12 are potentially vulnerable; later releases are presumed to contain a fix. Any WordPress site that installs a vulnerable copy of the plugin is at risk.

The CVSS score of 7.1 indicates a medium‑to‑high severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is likely to be “Network”‑based, with the attacker needing to craft a malicious URL that the victim would click or be directed to. Interaction from the victim is required for the reflected XSS to run, but the impact can be severe if the victim is an administrator or holds privileged credentials.