The Accounting for WooCommerce plugin contains an improper neutralization of input during web page generation that permits stored Cross‑Site Scripting. The flaw is a CWE‑79 vulnerability where arbitrary script can be injected into pages rendered by the plugin. A successful exploit could allow a malicious attacker to execute scripts in the context of a visitor’s browser, potentially leading to credential theft, session hijacking or defacement. Of the three core security properties, the principal risk is to confidentiality and integrity of user data presented through the plugin, and it could affect all users who view the affected content.

All WordPress installations using Bastien Ho’s Accounting for WooCommerce plugin version 1.6.8 or earlier are susceptible. The vulnerability applies to every release in the series from the first available version up through and including 1.6.8, and is remedied only in later releases.

The CVSS score of 5.9 denotes a moderate severity for this stored XSS issue. The EPSS score of <1% indicates that the current likelihood of exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector likely involves an attacker supplying malicious input through plugin-administered forms or data fields that are subsequently saved and rendered without proper sanitization. No advanced prerequisites are specified beyond the ability to inject payloads into the plugin’s storage mechanism; exploitation may be possible via an authenticated or unauthenticated session depending on the availability of input entry points.