Improper Neutralization of Input During Web Page Generation allows attackers to inject malicious JavaScript that is stored and subsequently served to all site visitors. Once executed, the script can hijack user sessions, deface the site, or exfiltrate sensitive data. The weakness is identified as CWE‑79, a classic input validation flaw that enables transmitted code to run in the victim’s browser environment.

The vulnerability appears in the BooSpot Boo Recipes WordPress plugin, affecting all releases from the earliest version through 2.4.1. No specific sub‑versions are listed, so the entire 2.4.1 release family is impacted. Users on older releases are also potentially vulnerable.

The CVSS score of 6.5 indicates a high impact when exploited, while an EPSS score of less than 1 % signals a relatively low probability of exploitation at the time of analysis. The vulnerability is not currently listed in the CISA KEV catalog. An attacker can typically target the plugin via web requests that store data (e.g., recipe creation forms) and rely on the site’s visitors to trigger the malicious script. While precise prerequisites are not detailed in the description, basic web access to the plugin’s interfaces is required.