Improper neutralization of user input in the Ex‑Themes WooTour WordPress plugin allows attackers to inject malicious JavaScript that is reflected back to the browser. The reflected XSS flaw can be triggered by entering crafted data into plugin‑provided fields or URLs, enabling attackers to obtain cookies, hijack sessions, or execute arbitrary scripts in the victim’s context. This vulnerability is classified under CWE‑79, which denotes cross‑site scripting weakness.

WordPress sites that have the WooTour plugin from Ex‑Themes installed are affected. The flaw exists in all supported versions from the earliest release up to and including 3.6.3, with no specific older release information available. Site owners should verify which version is running and prepare to apply a fix.

The CVSS score of 7.1 indicates a moderate to high impact for remote attackers who can supply input. However, the EPSS score is below 1 %, suggesting a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to entice a victim to visit a crafted URL or interact with a vulnerable input field, which is typically user‑initiated, making exploitation possible but not trivial.