The WP App Bar plugin is vulnerable to a reflected Cross‑Site Scripting flaw caused by improper neutralization of user input during web page generation. An attacker can inject arbitrary JavaScript that is echoed back to the victim’s browser when the plugin renders user‑supplied content. The injected code runs with the privileges of the victim, enabling credential theft, session hijacking, defacement, or further compromise of the site.

The issue exists in the WordPress plugin Ryan Sutana WP App Bar in all releases from its initial version through 1.5. Any WordPress site that has this plugin installed and has not upgraded beyond version 1.5 is affected.

The CVSS score of 7.1 classifies the vulnerability as high severity, yet the EPSS score of less than 1% suggests that real‑world exploitation is currently uncommon. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves a crafted URL or form that supplies malicious input to the plugin’s output; the attacker only needs the victim to visit the crafted link and the page generation will echo the input back, executing the script in the victim’s browser. This lack of authentication requirements and the reflective nature of the flaw mean that any site user who can view the affected page is at risk. Consequently, the overall risk remains moderate to high in environments where user interaction with the plugin’s output is frequent or where administrative users can inject content without adequate input validation.