This vulnerability allows the improper neutralization of user-supplied data when it is rendered on a web page, leading to stored XSS. An attacker with access to the vulnerable plugin’s input fields can inject malicious scripts that will be persisted in the log store and later executed in the browsers of users who view these logs, potentially compromising user sessions, defacing the site, or stealing credentials. The weakness is a classic input–output vulnerability identified as CWE‑79, which is commonly mitigated by proper output encoding and validation.

The flaw affects the Bowo Debug Log Manager WordPress plugin, versions up to and including 2.3.4. The vulnerability is present in every installation of the plugin that is at or below this version threshold; any site using the affected plugin is at risk.

The CVSS score of 7.1 indicates a high severity level, while an EPSS score of less than 1% suggests a low current likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to involve the plugin’s logging interface, where an attacker can submit malicious payloads that are stored and later rendered to users. Although no public exploit has been reported, the stored nature of the XSS makes it a high‑impact risk to any user who accesses the log view.