This vulnerability is an Improper Neutralization of Input During Web Page Generation flaw that allows a stored cross‑site scripting (XSS) attack. An attacker can inject malicious scripts that are saved by the Boot‑Modal plugin and then served to any visitor who views the affected page. If an attacker successfully injects script, the code runs in the context of the victim’s browser and can capture cookies, alter page content, or perform other malicious actions. The documented weakness is categorized as CWE‑79.

The Boot‑Modal plugin, developed by albedo0, is vulnerable in all releases up to and including version 1.9.1. No specific patch version numbers are listed beyond that, but any deployment of the plugin with a version equal to or older than 1.9.1 is affected.

With a CVSS score of 6.5 the flaw is considered moderate severity. The EPSS score of less than 1 % suggests that exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an attacker with the ability to submit data to the plugin—for example, through a form or content field that the plug‑in stores—and then rely on the plugin’s failure to escape that data when rendering pages. Successful exploitation would require that the user view a page that displays the stored malicious content. The consequence is client‑side compromise without requiring remote code execution or system access by the attacker.