This vulnerability (CVE-2025-28977) in ThimPress WP Pipes involves improper neutralization of input during web page generation, leading to reflected cross-site scripting (CWE-79). It affects WP Pipes versions through 1.4.3. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates that the vulnerability can be exploited remotely over the network with low attack complexity, no privileges required, but requires user interaction. Successful exploitation can result in partial confidentiality, integrity, and availability impacts. No patch or vendor advisory is currently available to confirm remediation status.

Exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected web application, potentially leading to data disclosure, modification, or disruption of service. The reflected XSS nature requires user interaction to trigger the malicious payload. The vulnerability affects confidentiality, integrity, and availability to a limited extent as per the CVSS vector. There are no known active exploits in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider applying temporary mitigations such as disabling or restricting the use of the WP Pipes plugin if feasible. Monitor official ThimPress channels for updates and apply patches promptly once available.