The Fahad Mahmood Alphabetic Pagination plugin versions up to 3.2.1 suffer from a reflected cross-site scripting (XSS) vulnerability due to improper input neutralization during web page generation. This flaw allows attackers to inject malicious scripts that execute in the victim's browser, potentially leading to information disclosure, session hijacking, or other impacts associated with XSS. The vulnerability is remotely exploitable without privileges and requires user interaction. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to the execution of arbitrary scripts in the context of the affected web application, potentially resulting in information disclosure, session hijacking, or other user-targeted attacks. The vulnerability affects confidentiality, integrity, and availability to a low degree but is considered high severity due to the ease of exploitation and scope change. No known exploits are currently reported in the wild.

No patch or official fix information is currently available for this vulnerability. Users of the Fahad Mahmood Alphabetic Pagination plugin should monitor the vendor's communications for updates or patches. In the meantime, applying web application firewall (WAF) rules to detect and block reflected XSS attempts may provide temporary mitigation. Avoiding user interaction with untrusted links can reduce risk. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.