The vulnerability is an Improper Neutralization of Input During Web Page Generation flaw that allows attackers to inject arbitrary JavaScript into pages rendered by the AW WooCommerce Kode Pembayaran WordPress plugin. This issue is classified as CWE‑79 and permits reflected XSS when a maliciously crafted input is reflected back in the HTML output. An attacker can cause client‑side scripts to run when a user visits a page that contains the manipulated input.

WordPress installations that have the AW WooCommerce Kode Pembayaran plugin from any version prior to 1.1.5, specifically all releases up through 1.1.4, are affected. The plugin is distributed by agenwebsite and is commonly used on e‑commerce sites that process payments.

The CVSS score of 7.1 indicates a medium‑to‑high risk level. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a reflected XSS scenario where a crafted URL or form parameter is embedded in a page; no user authentication is required, so any visitor to the site could be affected. Upon successful exploitation, malicious code could execute in the victim’s browser when they view a page containing the crafted input.