Improper neutralization of input during web page generation allows attackers to inject arbitrary scripts via the Grand Conference Theme Custom Post Type plugin. The reflected XSS flaw could enable malicious code execution in a visitor’s browser, leading to potential cookie theft, session hijacking, defacement, or the installation of malware. The vulnerability is present in any installation using a version prior to 2.6.4 of the plugin.

The vulnerability affects the ThemeGoods Grand Conference Theme Custom Post Type plugin for WordPress. Any WordPress site that has the plugin installed with a version lower than 2.6.4 is susceptible; the affected range covers all releases labeled n/a through <2.6.4.

The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of active exploitation at the time of assessment. The flaw is not listed in the CISA KEV catalog. The likely attack vector is inferred from the description; attackers must craft a URL or form input that reaches the plugin’s output routine. Once a victim visits the crafted link or submits the input, the script executes in the victim’s browser. No special privileges are required beyond normal web access, which makes the attack vector available to anyone with internet reach to the site.