The vulnerability is a reflected cross‑site scripting (XSS) flaw (CWE‑79) that arises from improper neutralization of user‑supplied input during dynamic web page generation in the Opencart Product in WP plugin. When an attacker crafts a URL or other input that is displayed by the plugin, the malicious payload is echoed directly into the browser, allowing the execution of arbitrary JavaScript. This can lead to theft of session cookies, defacement of the site, or redirecting users to phishing pages.

The flaw exists in all releases of the rajib.dewan Opencart Product in WP plugin up through version 1.0.1. Sites running the plugin at any version up to and including 1.0.1 are affected. The product is distributed as a WordPress plugin.

The CVSS score of 7.1 indicates a high‑moderate severity, while the EPSS score of less than 1% suggests that active exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog, and no known active exploits have been reported. Based on the description, it is inferred that an attacker would need to lure a victim to a specially crafted URL – user interaction is required – to deliver the reflected XSS payload. Once the payload executes, the attacker can hijack the victim’s session or steal sensitive data. The overall risk is moderate but should be mitigated promptly.