The vulnerability is an instance of Improper Neutralization of Input During Web Page Generation (CWE‑79), which allows attackers to inject malicious scripts that are executed in the context of any visitor to the affected WordPress site. By injecting crafted JavaScript through the plugin’s user interface, an attacker can potentially deface the site, hijack user sessions, or exfiltrate sensitive information. The flaw does not grant direct server‑side code execution, but it endangers the confidentiality, integrity, and availability of users who view the affected pages.

The affected product is the WordPress Link Whisper Free plugin for WordPress, released by Spencer Haws. Versions up to and including 0.8.8 contain the flaw.

The CVSS score of 7.1 places this vulnerability in the medium‑to‑high severity range. The EPSS score of < 1 % indicates that, as of the last measurement, the likelihood of automated exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is reflected XSS; an attacker would need to craft a payload that is echoed back to a user in the generated HTML, typically via plugin‑supplied input fields. Based on the description, it is inferred that the vulnerability originates from unsanitized user input, allowing a reasonably knowledgeable attacker to discover and exploit it with or without elevated privileges.