Impact
Untrusted input is reflected back to the user’s browser without proper sanitization, allowing an attacker to inject arbitrary JavaScript. An attacker could execute code in the context of the victim’s session, potentially stealing cookies, defacing the site, or redirecting users to malicious destinations. The vulnerability is classified as an unauthenticated XSS flaw and can affect any visitor who loads the affected page.
Affected Systems
The flaw exists in the SweetDate Core plugin for WordPress, released by SeventhQueen. All plugin versions prior to 1.1.5 are vulnerable; any WordPress site that has an older SweetDate Core installation is susceptible. No specific operating system or environment details beyond the WordPress context are provided.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity with considerable impact potential. The EPSS score is not available, so the current likelihood of exploitation is unknown, but because the flaw is unauthenticated and reflected during normal page viewing, it is potentially exploitable by anyone and likely not hidden behind network boundaries. The vulnerability is not listed in the CISA KEV catalog, but site operators should still consider it significant due to the open nature of the attack vector.
OpenCVE Enrichment