The vulnerability is an Improper Neutralization of Input During Web Page Generation, classified as a Reflected Cross‑Site Scripting (XSS). An attacker can supply crafted data that is reflected back in the HTTP response without proper sanitization, allowing the execution of arbitrary JavaScript in the victim’s browser. This can enable session hijacking, credential theft, defacement, or delivering phishing payloads. The weakness corresponds to CWE‑79.

The affected product is the Munzir Author: Munzir (myshouts‑shoutbox) WordPress plugin, versions from whatever is the initial release through version 0.9, inclusive. Any installation running a version of the plugin that has not been updated beyond 0.9 is vulnerable.

With a CVSS score of 7.1 and an EPSS score of < 1 %, the technical severity is high but the probability of active exploitation is low. The vulnerability is not listed in the CISA KEV catalog, indicating that no active widespread exploitation has been observed. An attacker would craft a malicious link containing the problematic input; any user clicking that link on a site using the vulnerable plugin would have the script executed in their browser. No authentication or privileged access is required, so the attack is feasible against any exposed site using the plugin.