The vulnerability arises from improper neutralization of user input during HTML page generation within the Local Shipping Labels for WooCommerce plugin. Attackers can craft a URL or form input that injects arbitrary JavaScript into the page returned to a victim browser, enabling potential cookie theft, session hijacking, or defacement. This reflected XSS flaw allows an attacker to execute code in the context of any user who views the malicious payload, which may include the site owner or customers.

Any WordPress site running the Local Shipping Labels for WooCommerce plugin version 1.0.0 or earlier is vulnerable. The flaw covers all releases from the earliest available up to version 1.0.0, regardless of the specific WordPress version or hosting setup.

The CVSS score of 7.1 indicates a medium severity flaw, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. Because the vulnerability is a reflected XSS, the attack vector typically requires a victim to click a crafted link or load a malicious page; authentication is not required for the action that delivers the payload. The flaw is not listed in the CISA KEV catalog, reducing concern about widespread active exploitation. Nonetheless, any user who receives the crafted link can be compromised, so the risk remains significant for exposed administrative interfaces or public‑facing pages that invoke the plugin’s functionality.