The Epic Review plugin for WordPress suffers from improper neutralization of input, allowing an attacker to inject malicious scripts that are echoed back to the browser. The reflected XSS flaw let an attacker craft a URL or form that, when accessed by a user, executes code in the user's session. This can lead to session hijacking, credential theft, defacement, or other client-side attacks that compromise confidentiality and integrity of the affected site. The vulnerability is not a remote code execution flaw but does enable the attacker to run arbitrary JavaScript in the context of the site.

All instances of the jegtheme Epic Review WordPress plugin at version 1.0.2 or earlier are vulnerable. The risk applies to any WordPress site that has this plugin installed and exposes the plugin’s functionality to users or visitors.

The CVSS score of 7.1 indicates a medium severity flaw. The EPSS score of less than 1% suggests that the likelihood of exploitation is very low at present, and the vulnerability is currently not listed in the CISA KEV catalog. Attackers would typically exploit the flaw by directing users to a specially crafted URL containing malicious query parameters or by submitting harmful data through a form that is rendered by the plugin. Since the flaw is reflected rather than stored, it requires the victim’s interaction but leverages the publicly reachable plugin interface.