The DeBAAT WP Media Category Management plugin for WordPress versions up to 2.2 contains a reflected cross-site scripting (CWE-79) vulnerability. This occurs due to improper neutralization of input during web page generation, enabling an attacker to inject malicious scripts that execute when a user interacts with crafted content. The vulnerability has a CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and limited impacts on confidentiality, integrity, and availability. No patch or official remediation level has been published as of the data provided.

Successful exploitation of this vulnerability can allow an attacker to execute arbitrary scripts in the context of the victim's browser session. This may lead to theft of sensitive information, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability to a limited extent. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. However, no known exploits in the wild have been reported to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation has been published, users should monitor vendor communications for updates. Until a patch is available, consider limiting exposure by restricting access to the plugin or disabling it if feasible.