Improper neutralization of input during web page generation (CWE‑79) in Pluggabl LLC Booster Plus for WooCommerce allows reflected XSS. A reflected XSS flaw means that a malicious actor can embed JavaScript into a URL or form input that the plugin will render directly back to the victim’s browser. If executed, the script runs with the privileges of the affected user, potentially compromising session state, leaking cookies, or redirecting to phishing sites. The vulnerability has no impact on the site’s server state or data integrity beyond the victim’s interaction, but it can undermine user trust and facilitate credential theft or defacement.

The flaw affects all installations of Booster Plus for WooCommerce up through version 7.2.4, regardless of platform or WordPress instance. Any WordPress site that has not yet upgraded to at least 7.2.5 is at risk.

The CVSS score of 7.1 indicates a high severity, and the EPSS score of less than 1% suggests that exploitation is unlikely in the wild at present. The vulnerability is not listed in the CISA KEV catalog, so no known large‑scale exploitation has been reported. Since the flaw is reflected, the most likely attack vector involves an attacker crafting a URL or form input containing malicious script, then luring a victim to visit it. If the victim’s browser accepts the embedded script, the attack succeeds. The low EPSS score indicates that automated exploitation is not common, but manual attempts remain straightforward for attackers who target individual sites or users.