Improper neutralization of user-supplied input during web page generation allows an attacker to inject malicious scripts into the site, enabling defacement, credential theft, or the execution of arbitrary client‑side code through the victim’s browser. The vulnerability, identified as CWE‑79, enables the injection of arbitrary client‑side code that runs in the context of the site’s domain, potentially affecting confidentiality, integrity, and availability of user sessions and site content.

The WordPress SureRank plugin from Brainstorm Force, versions up to and including 1.3.2, is affected by this cross‑site scripting flaw. Users of any WordPress installation running one of those plugin versions are at risk.

The CVSS score of 7.1 signifies moderate to high severity, while the EPSS score of less than 1% indicates a low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. Attacks likely occur via components of the plugin that accept unsanitized input from either administrators or publicly accessible areas, allowing an attacker to craft a payload that is later rendered into the page. Successful exploitation requires the attacker to be able to inject input that the plugin does not neutralize, which can lead to widespread client‑side compromise for affected sites.