Improper neutralization of user-supplied input in the Mopinion Feedback Form plugin creates a DOM-based Cross‑Site Scripting flaw that allows a malicious script to be reflected and executed in the victim’s browser. The reflected payload can steal session cookies, set the victim’s browser into a phishing context, or perform other client‑side attacks such as defacement or data exfiltration. The distribution of this code is entirely within the page rendered by the plugin, so it does not compromise the server itself, but it jeopardizes user confidentiality and can lead to large‑scale user compromise if not addressed.

The vulnerability impacts the WordPress plugin "Mopinion Feedback Form" developed by keeswolters. All installations running any plugin version up to and including 1.1.1 are affected. The plugin is loaded by WordPress sites that use the feedback form feature.

The CVSS score of 7.1 places the flaw in the high‑moderate severity range, while the EPSS score of less than 1% indicates a currently low exploitation probability. The flaw is not listed in the CISA KEV catalog. Attackers can exploit the issue by injecting malicious script into the form’s input fields or crafted URLs that trigger the payload when a user views the form page. The flaw is client‑side and can be triggered by any unauthenticated or authenticated user who submits or views the form content.