This vulnerability is an Improper Neutralization of Input During Web Page Generation flaw that enables an attacker to inject malicious script into pages served to users. The injected script can execute in the victim’s browser, leading to credential theft, session hijacking, or defacement. The weakness is identified as CWE‑79, an input validation flaw that directly impacts user‑controlled input used in web page rendering.

The issue affects the WordPress plugin JNews - Frontend Submit from jegtheme. All installations using any version up to and including 11.0.0 are potentially vulnerable, while newer releases are assumed to have the flaw fixed. Site owners running legacy versions on public WordPress sites are therefore at risk.

The CVSS score of 7.1 indicates a moderate severity, but the EPSS score of <1% suggests a low probability of exploitation at this time. The vulnerability is not currently listed in CISA’s KEV catalog, reducing the likelihood of widespread, documented attacks. Attackers would typically need to entice a user to visit a crafted URL that includes malicious parameters; whether the plugin processes such parameters in a way that allows execution depends on how the form fields are rendered. Because the flaw is reflected, it is generally easy to trigger once the victim clicks the link, meaning the attack vector is inferred to be user interaction on the public web rather than an internal or privileged exploit.