The vulnerability originates from improper neutralization of user‑supplied input in the Akadrama Shipping with Venipak for WooCommerce plugin, allowing attackers to inject and execute arbitrary JavaScript when a crafted page is requested. An attacker could trick a victim into visiting a specially constructed URL, causing the script to run in the victim’s browser and enabling actions such as session hijacking, defacement, or theft of sensitive information. The primary consequence is loss of confidentiality and integrity of user data and potential compromise of the victim’s session.

Akadrama Shipping with Venipak for WooCommerce plugin versions up to and including 1.22.3 are affected. The issue extends from the earliest release of the plugin through 1.22.3.

With a CVSS score of 7.1 the vulnerability is considered moderately severe. The EPSS score of less than 1% indicates a very low probability of exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting no large‑scale attacks have been observed. Attackers would need to craft a payload that passes through the plugin’s input handling and is reflected unescaped in a generated page, typically by manipulating query parameters or form inputs on the WooCommerce site.