The Import from YML plugin for WordPress contains an improper neutralization of input during web page generation that leads to reflected cross‑site scripting. An attacker can supply crafted data that is echoed back into the rendered page without proper escaping, allowing the execution of arbitrary JavaScript in the victim’s browser. The vulnerability enables session hijacking, cookie theft, defacement, or the execution of malicious code, compromising the confidentiality and integrity of the user session.

This flaw affects the WordPress Import from YML plugin released by icopydoc. Versions prior to 3.1.18 (i.e., n/a through 3.1.17) are vulnerable. Any site running the plugin in these versions is at risk, regardless of the WordPress core version.

The CVSS score of 7.1 marks the issue as high severity, though the EPSS score of less than 1% indicates a low likelihood of active exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalogue. Exploitation is possible via unauthenticated access to URLs that include plugin parameters, meaning any visitor that encounters a crafted link could trigger the reflected script. The attack requires only the plugin to be active and a user to visit a crafted page; no administrative privileges are necessary.