Impact
The vulnerability is an improper neutralization of user‑supplied input during page generation, allowing attackers to inject arbitrary HTML or JavaScript via a crafted URL. The attack causes the injected script to execute in the victim’s browser, creating a cross‑site scripting (CWE‑79) flaw with the potential to run malicious code. The impact is confined to the victim’s session when they view the malicious content.
Affected Systems
WordPress websites that have installed the MemberPress Discord Addon plugin from ExpressTechSoftware, version 1.1.4 or older.
Risk and Exploitability
The CVSS score of 7.1 indicates a high potential impact when exploited; the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at the present time. The vulnerability is user‑interaction based, requiring the victim to load a crafted page. The plugin is not listed in the CISA KEV catalog, meaning no known active exploitation has been reported. Site operators should treat the risk as moderate to high due to the high severity of the flaw.
OpenCVE Enrichment