The vulnerability arises from improper neutralization of formula elements in CSV files processed by the AP HoneyPot WordPress Plugin. An attacker can insert specially crafted script or formula content that is response encoded and later executed in a visitor's browser, resulting in reflected cross‑site scripting. This flaw enables an adversary to run arbitrary JavaScript in the context of the site, potentially stealing credentials, session cookies or defacing pages. It is classified under CWE‑1236, which signifies that user input is not correctly sanitized before being processed.

The affected product is Denis V (Artprima) AP HoneyPot WordPress Plugin, any release whose version identifier is unknown or ≤1.4. WordPress sites employing this plugin, without upgrading beyond v1.4, are vulnerable. No other vendors or products are explicitly listed for this vulnerability.

The CVSS score of 7.1 indicates a medium‑to‑high severity, while the EPSS score of <1% suggests that, as of now, exploitation is unlikely but not impossible. The vulnerability is not present in the CISA KEV catalog, which means it is not a known, actively exploited flaw. An attacker could target the plugin by uploading a malicious CSV file to the honeypot interface, or by tricking an authenticated user into submitting such a file. If the admin interface is publicly exposed, the attack path would be remote, requiring only the ability to access the upload form.