The CVE describes a stored cross‑site scripting flaw in the CC BMI Calculator WordPress plugin caused by improper neutralization of user input during web page generation. This weakness allows an attacker to embed malicious script that will be served to all browsers that load the affected page. While the attack is confined to client‑side execution and does not grant direct remote code execution on the server, it could enable adversaries to perform unauthorized actions within the victim’s browser, such as reading sensitive information or manipulating sessions. Based on the description, it is inferred that such client‑side abuse may lead to data exfiltration or session hijacking, though these consequences are not explicitly stated in the published security advisory.

Any WordPress site running the CC BMI Calculator plugin up to and including release 2.1.0 is affected. The plugin is supplied by CC (the vendor CC catering to the CC BMI Calculator). No further version specifics are provided beyond the <= 2.1.0 bound, so any instance of that plugin with that or earlier versions should be considered vulnerable until a fix is applied.

The CVSS base score is 6.5, indicating medium severity. The EPSS score is below 1%, signaling a very low, but non‑zero, current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, so no recent confirmed exploits are known. The likely attack route requires a mechanism to store user‑supplied data that is later rendered without sanitization – typical points of entry might be plugin configuration options or other input fields that persist across sessions. An attacker who can inject script via such a path would cause the payload to be served to any user visiting the affected page, allowing client‑side attacks limited to the browser context.