The vulnerability is an improper neutralization of input during web page generation, allowing attackers to inject malicious scripts that are reflected in the responses. A Reflected Cross‑Site Scripting (XSS) flaw exposes the plugin to arbitrary client‑side code execution when an attacker can control the Referer field or other input processed by the plugin. This can lead to theft of user credentials, defacement, or session hijacking for the affected WordPress site, compromising confidentiality, integrity, and availability of user data.

All installations of the Hugh Mungus Visitor Maps Extended Referer Field plugin with a version of 1.2.6 or earlier are affected. The plugin is a WordPress add‑on that processes HTTP referer data to populate visitor maps. Users deploying these versions on any WordPress installation are at risk until the issue is remediated.

The CVSS base score of 7.1 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low current exploit probability, and the flaw is not listed in the CISA KEV catalog. However, because the attack requires a crafted referer header, it is most likely an attacker‑initiated, client‑side exploitation vector. If an attacker can lure a target user to a page containing the vulnerable code, they could execute arbitrary scripts in the victim’s browser. The vulnerability’s impact is limited to susceptible clients, but the potential for credential theft and session hijacking creates a serious risk in multi‑user environments.