The vulnerability originates from improper neutralization of input during web page generation in the Booster for WooCommerce plugin. Stored XSS enables an attacker to inject JavaScript or other malicious content into pages that are rendered for all site visitors. This can compromise user accounts, deface the site, or facilitate credential theft as the code executes in the browser context of anyone who views the affected content.

The flaw affects all versions of the Booster for WooCommerce plugin from the initial release up to and including 7.3.2. It is identified as Pluggabl Booster for WooCommerce and appears in the WordPress plugin repository.

With a CVSS score of 6.5 the vulnerability represents moderate severity, and the EPSS score of less than 1% indicates a low observed exploitation probability at present. The vulnerability is not recorded in the CISA KEV catalog. Attackers would most probably introduce malicious payloads through the plugin’s stored settings or content that is rendered on front‑end pages, thereby exposing all site visitors. No public exploits have been reported, but the stored nature of the flaw means that once injected, the malicious code remains active until manually removed or the plugin is updated.