The vulnerability in the WordPress Featured Image plugin arises from insufficient sanitization of data used in the plugin, allowing an attacker to inject arbitrary JavaScript into pages that invoke the plugin. This reflected cross‑site scripting flaw is classified as CWE‑79 and can enable attackers to hijack user sessions, deface content, or phish credentials from unsuspecting visitors. The impact is confined to the compromised user’s browser but can affect multiple users who view the vulnerable page.

The affected product is the WordPress Featured Image plugin, version 2.1 or earlier, created by Mervin Praison. The vendor advises that all users update to version 2.2 or later to mitigate the flaw.

The CVSS score of 6.5 indicates a moderately high risk, but the EPSS score is not available, suggesting no recent public exploitation data. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through a crafted URL or input field that passes script payloads to the plugin, which then reflects them in the rendered page. An attacker needs only to supply the payload; no special privileges or network access are required, making the exploit straightforward under typical conditions.