An improper neutralization of user input during web page generation in the CRUDLab Like Box plugin for WordPress allows a reflected cross‑site scripting (XSS) attack. This flaw can lead to the execution of arbitrary JavaScript in the context of a victim’s browser. The vulnerability is rooted in inadequate input validation and sanitization, classified as CWE‑79. Based on the description, it is inferred that an attacker could potentially use the executed JavaScript to steal credentials, hijack sessions, or deface content, but such outcomes are not explicitly confirmed in the description.

The impact is limited to installations of the CRUDLab Like Box WordPress plugin at versions up to and including 2.0.9. WordPress sites that have this plugin deployed and have not applied a newer release are vulnerable.

With a CVSS score of 7.1, this issue is considered moderate to high severity. The EPSS score of less than 1% indicates a low probability of exploitation at the moment, and the vulnerability is not in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is remote and requires a crafted URL or input that is eventually reflected back to the victim’s browser; successful exploitation would likely occur when a user visits a maliciously crafted link or is tricked into interacting with the vulnerable input field.