The vulnerability arises from improper neutralization of input during web page generation in the PeproDev WooCommerce Receipt Uploader plugin, allowing an attacker to inject malicious script into a page that is rendered to the victim. If an attacker successfully delivers a crafted request, the injected code will execute in the victim’s browser, enabling session hijacking, credential theft, or defacement. This weakness is classified as Cross‑Site Scripting (CWE‑79).

The flaw exists in all releases of PeproDev WooCommerce Receipt Uploader up to and including version 2.6.9. Any WordPress installation that has this plugin installed and is reachable from the Internet is vulnerable, regardless of user role, as the reflected input can be supplied via a URL parameter.

The CVSS score of 7.1 indicates a high severity and the low EPSS score (<1%) suggests that automated exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog, but because the exploitation requires crafted URLs that can be delivered through social engineering or phishing, the likelihood in a targeted attack remains. The attack vector is most likely Remote Web (user input via a URL). The impact is confined to the victim’s browser session but can be leveraged for more destructive business‑process attacks if credentials are obtained.