Improper Neutralization of Input During Web Page Generation (Cross‑Site Scripting) is present in the Woobox WordPress plugin for versions 1.6 and earlier. The plugin does not escape user‑supplied data that is inserted into page output, resulting in a DOM‑based XSS flaw. An attacker could inject malicious JavaScript by crafting a URL or manipulating content that triggers the plugin, potentially enabling session hijack, credential theft, defacement, or delivery of malware to legitimate site visitors.

Woobox is a popular community‑engagement plugin for WordPress that allows site owners to create contests, giveaways, and other interactive content. The vulnerability affects all installations of the Woobox plugin version 1.6 or older, regardless of the specific minor revision. The affected component is the core plugin code that renders interactive widgets and does not rely on a particular theme or other plugins.

The CVSS score of 6.5 classifies the flaw as medium severity. The EPSS score is below 1%, indicating a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote visitor loading a page that contains vulnerable plugin output, allowing injection of arbitrary scripts via crafted URLs or content. Based on the description, it is inferred that exploitation requires a remote visitor to load the page, which then executes the malicious scripts in the victim’s browser context, potentially compromising session data and site integrity.