The Toggle Box plugin for WordPress contains a stored cross‑site scripting flaw (CWE‑79). When a user submits content through the plugin interface, the input is stored without proper neutralization and later rendered in a page. This allows an attacker to inject arbitrary JavaScript that executes in the browsers of anyone who visits the affected page, potentially stealing session cookies, defacing content, or redirecting users.

The affected product is the Toggle Box plugin from the vendor phantom.omaga. Every release from the earliest version up to and including 1.6 is vulnerable; any site that has the plugin installed and uses its toggle‑box feature is at risk. There are no more recent public versions mentioned in the advisory, so sites need to verify whether they are running a patched or newer release.

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% implies a low likelihood of exploitation today, which is corroborated by the absence of this vulnerability in the CISA KEV catalog. Nonetheless, the flaw can be leveraged by anyone with the ability to add or edit toggle box content, which usually requires administrative or editor privileges on the WordPress site. Attackers could use the stored script to compromise other visitors or gain additional footholds on the site, so the risk remains meaningful in a public context.