The FOMO Pay Chinese Payment Solution plugin for WordPress contains a reflected cross‑site scripting flaw caused by inadequate input neutralization in the web page generation. An attacker can embed malicious scripts that run in the browsers of users who view the affected content, enabling cookie theft, session hijacking, or arbitrary client‑side actions. This breach of client‑side integrity is a characteristic CWE‑79 weakness and can be triggered by any user who follows a crafted link or submits a form that reflects back data.

WordPress sites that employ the FOMO Pay Chinese Payment Solution plugin version 2.0.4 or earlier. The plugin, sold under the vendor name fomopay and identified by the package name fomo-payment-gateway-for-woocommerce, is impacted across all supported WordPress installations hosting that version range.

The vulnerability has a CVSS score of 7.1, indicating moderate to high severity, while the EPSS score is less than 1%, suggesting a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The likely attack vector is remote over the web, inferred from the nature of reflected XSS, which requires an attacker to deliver a malicious URL or form payload that is echoed back to the user’s browser. Exploitation depends on social engineering or phishing to entice victims to visit the crafted content.