The vulnerability arises from improper neutralization of user input in the BWL Pro Voting Manager plugin, allowing malicious scripts to be injected into the page via DOM manipulation. An attacker can inject client‑side code that runs in the victim’s browser, potentially stealing session cookies, defacing the site, or redirecting users to phishing pages. Because the flaw is limited to the browser, the impact is confined to the victim’s session and data, but privileged users who view or manage the votes could be targeted for credential theft.

The issue affects the WordPress BWL Pro Voting Manager plugin by xenioushk, specifically all releases up to and including version 1.4.9. Users running any of those plugin versions on a WordPress site are potentially vulnerable and should check the installed version or update the plugin.

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% suggests uncommon exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker can cause a user to load a page containing the malicious input—commonly by crafting a URL or embedding the payload in a voting form that an authenticated or unauthenticated user will access. Attackers can thus compromise user sessions through the victim’s browser when the vulnerable plugin is present.