The Basticom Framework plugin for WordPress has been found to improperly neutralize user input, resulting in a stored cross‑site scripting flaw. This type of vulnerability allows an attacker to embed malicious script that is saved in the site's content and subsequently executed whenever a page containing that content is viewed. Based on the description, it is inferred that an attacker who can insert or modify stored data could hijack user sessions, deface pages, or trigger unauthorized actions on behalf of the visitor, all of which follow from the nature of stored XSS and correspond to CWE‑79.

Any WordPress installation that has the Basticom Framework plugin up to and including version 1.5.2 is vulnerable. The weakness applies to all prior builds of the plugin, regardless of the user role or site configuration, meaning that any site owner using an affected version is at risk.

The CVSS base score of 5.9 reflects a moderate severity, and the EPSS score of less than 1 % indicates a low likelihood of widespread exploitation at present. Attackers can exploit the flaw remotely through the web interface by creating or editing content that will be stored and rendered to other visitors; no special credentials or network access are required. The vulnerability is not listed in the CISA KEV catalog, but its ability to compromise confidentiality, integrity, or availability of user interactions warrants timely remediation.