The ShoutOut plugin fails to neutralize user input that is reflected in the HTML output, enabling a reflected XSS vulnerability (CWE‑79). An attacker can embed malicious script in the URL or form input that the plugin echoes back in the page, causing the victim's browser to execute arbitrary JavaScript in the context of the site. This can lead to theft of session cookies, credential hijacking, defacement, or redirecting the user to a phishing page. The impact is limited to the victim's browser and does not directly affect the server, but it can compromise user data or influence client‑side behaviour. The likely attack vector is a maliciously crafted URL or form input that includes unsafe script content, which the plugin reflects back unchanged.

This vulnerability affects the WordPress ShoutOut plugin provided by ShoutOut global. All instances of the plugin with version 4.0.2 or earlier are vulnerable. No specific patch versions are listed in the CVE text, but the enterprise should upgrade beyond 4.0.2.

The CVSS score of 7.1 indicates a high severity, reflecting the ease of exploitation and the potential impact on affected users. The EPSS score is below 1%, suggesting that, while the vulnerability exists, the probability of active exploitation at the time of this analysis is low. The vulnerability is not currently listed in CISA's KEV catalog, so there is no evidence of widespread exploitation. The likely attack vector is forcing a victim to visit a specially crafted URL or input field that contains malicious code, typically via email or social engineering. Attackers would drive a victim to a specially crafted URL or input field to trigger the reflected XSS, typically via email or social engineering. The exploit conditions are minimal: the site must have the plugin installed and the victim must visit the crafted link while authenticated or having a session cookie associated with the site. Given the lack of server‑side consequences, the primary risk is to end users rather than to system integrity.