The PORTONE 우커머스 결제 WordPress plugin contains a reflected cross‑site scripting flaw that fails to neutralize user‑supplied input when producing web page content. This weakness, identified as CWE‑79, allows an attacker to embed malicious JavaScript in a URL or form field. When a legitimate visitor loads the crafted link, the browser executes the injected script in the site’s context, enabling credential theft, session hijacking, defacement or delivery of further malware.

All WordPress sites that have installed the IAMPORT for WooCommerce plugin (brand name PORTONE 우커머스 결제) version 3.2.4 or earlier are vulnerable. No further sub‑range is specified beyond the <=3.2.4 cutoff, so any build up to this version is at risk. The issue is not limited to a particular WordPress version or theme.

The base CVSS score of 7.1 indicates high severity; the EPSS score of less than 1% suggests low current exploitation probability with no widespread attacks recorded. The vulnerability is not listed in the CISA KEV catalog. Attacking this flaw generally requires only an unsuspecting user to click a malicious link or submit a crafted form field, does not require authentication or privileged access, and can be performed remotely from a web browser, making it a classic reflected XSS with significant risk to user trust and site integrity.