The Review Map by RevuKangaroo plugin stores data entered in its settings pages without sanitizing or escaping user input. When an administrator injects a script into these settings, the script is persisted in the database and rendered unescaped whenever any user views the affected content. This flaw falls under the web‑application vulnerability category of input validation and output encoding.

WordPress installations that include the Review Map by RevuKangaroo plugin version 1.7 or earlier, on multisite networks or on single‑site setups where the unfiltered_html capability is disabled. The injection requires administrator‑level permissions, but all visitors to pages that display the compromised settings are exposed to the malicious code.

The CVSS score of 4.4 indicates medium severity. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a valid, authenticated administrator account; thus the attack vector is inferred to be local or internal, purely based on the fact that only users with sufficient privileges can insert the payload. Once an attacker achieves that privilege, any site visitor who loads the impacted page will have the injected script executed in their browser, creating the potential for defacement, session hijacking or further lateral movement.