Improper neutralization of user input in the Bowo Variable Inspector plugin causes reflected cross‑site scripting. An attacker can embed malicious JavaScript that will run in the victim’s browser when a crafted link is visited or an input field is reflected back in a page. The vulnerability falls under CWE‑79 and can enable attackers to steal session cookies, perform phishing, or execute other client‑side attacks. The impact is confined to the context of the user’s browser and does not affect the plugin’s server‑side components directly.

All installations of the Bowo Variable Inspector plugin with version 2.6.2 or earlier, including all earlier releases. The vulnerability affects WordPress sites that have the plugin active.

The CVSS score of 7.1 classifies the issue as high severity; however, the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Because the exploit is reflected, the attack vector is typically an HTTP GET or POST request that the victim follows; it requires the victim to load the maliciously crafted link or trigger the reflected input, making it a classic human‑interaction based XSS. Based on the description, the attack vector requires a victim to load a crafted URL or input malicious payload, confirming the reliance on user interaction. This moderate exploitability, combined with high severity, warrants prompt remediation.