The vulnerability is a DOM-Based Cross- Site Scripting flaw that occurs when the Autoship Cloud for WooCommerce Subscription Products plugin does not properly neutralize user-controlled input during web page creation. An attacker could inject malicious JavaScript into the page, potentially enabling remote code execution within the victim’s browser, defacement of the site, or theft of sensitive data. The weakness is classified as CWE-79, indicating insufficient input sanitation in the rendering layer.

WordPress sites that have the Autoship Cloud for WooCommerce Subscription Products plugin installed with a version up to and including 2.8.0.1 are affected. This includes any instance where the plugin is active and rendering subscription product pages. The issue is present across all supported WordPress installations that have not applied a newer version.

The CVSS score of 6.5 shows a moderate severity, but the EPSS score of <1% indicates that real-world exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog as of this analysis. Exploitation would require the attacker to influence input that ends up in the DOM, such as crafted URLs or form data, which is feasible in public-facing sites that use the plugin. The attack vector is likely from a client‑side context where the script runs in the user’s browser, so prevention depends on sanitizing the data before it reaches the DOM.