The vulnerability is an unauthenticated cross‑site scripting flaw found in the WordPress "ManageWP Worker" plugin versions up to and including 4.9.31. An attacker can embed malicious JavaScript into content that is rendered by the plugin’s administrative interface, allowing the execution of arbitrary code in the context of any user who views the affected pages. Because the flaw is not protected by authentication, it can be triggered by any visitor to the site, including unauthenticated users. The attacker’s capabilities are limited to the browser context of each user, meaning the impact primarily affects confidentiality and integrity of data accessed in the victim’s session, and could be used to steal credentials or deface the site. The Common Vulnerability Scoring System rates the issue as 7.1, indicating a high severity level. The EPSS score of less than 1% suggests a comparatively low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog.

The affected product is the WordPress "ManageWP Worker" plugin from the vendor ManageWP, for all releases up to version 4.9.31. Any WordPress installation using the plugin in those versions is vulnerable and should be updated.

The CVSS score of 7.1 reflects the high impact of an unauthenticated XSS vulnerability. Because the attacker does not need privileged access and can exploit it via a standard web request, the risk remains significant despite the low EPSS score. The issue is not in the CISA KEV catalog, which indicates insufficient evidence of widespread exploitation yet. Potential exploitation would involve inserting script into the plugin’s admin pages and then luring users to visit those pages to execute the payload.