A reflected cross‑site scripting flaw exists in the Flexmls® IDX WordPress plugin caused by improper neutralization of user input, a weakness identified as CWE‑79. When a victim visits a specially crafted request or submits data that is echoed back in the page, an attacker can inject arbitrary JavaScript. Such injected code can steal credentials, hijack sessions, deface the site, or redirect users to malicious destinations, thereby compromising the confidentiality, integrity, and availability of the WordPress installation.

The vulnerability affects all releases of the Flexmls® IDX plugin for WordPress up to and including version 3.15.9. Any WordPress site that has installed the plugin at or below this version is at risk; no other components or versions are known to be affected.

The EPSS score indicates a low exploitation probability (under 1%), and the flaw is not listed in the CISA KEV catalog. Nevertheless, reflected XSS can be triggered simply by a crafted URL or form input, making it readily exploitable by an attacker who can lure a legitimate user to a malicious link. Although a published exploit is not available, the attack surface is accessible via standard web requests, and social engineering can increase the likelihood of victim interaction. The CVSS base score is not disclosed in the report, but the nature of the flaw suggests a high severity assessment under common risk models.