Reflected cross-site scripting is the correct answer because it occurs when an application receives data in a request and includes that data in the immediate response in an unsafe way. In the scenario described, the web application reflects user input directly in the response, which is a classic example of a reflected cross-site scripting vulnerability. Persistent cross-site scripting requires the injected script to be stored on the server and then displayed in subsequent responses to any user visiting the affected page. Cross-site request forgery (CSRF) involves tricking a user into making a request to perform an action that they are authorized to perform, typically without their knowledge, which is not indicated in this scenario. Lastly, SQL injection occurs when an attacker is able to manipulate a SQL query through user input, which is unrelated to script injection reflected in web responses.