Impact
Unauthenticated Reflected Cross Site Scripting (XSS) allows an attacker to inject arbitrary client‑side scripts into the browsing session of any user who visits a vulnerable page. The flaw resides in the Okay Toolkit plugin for WordPress and is classified as CWE‑79. Successful exploitation may enable the execution of arbitrary JavaScript on the victim’s browser, potentially affecting the user experience or altering the presentation of the site from the user’s perspective.
Affected Systems
The vulnerability affects WordPress sites that have the ArrayHQ Okay Toolkit plugin version 2.3 or earlier installed. Any site running these versions is potentially exposed.
Risk and Exploitability
The CVSS score of 7.1 indicates a moderate severity. The EPSS score of less than 1% suggests exploitation is currently unlikely, and the flaw is not listed in CISA’s KEV catalog. The attack vector is inferred to involve a reflected request parameter in the plugin’s exposed endpoints, allowing an unauthenticated attacker to craft a malicious URL that injects script content into the page.
OpenCVE Enrichment