The vulnerability is a reflected XSS flaw that, based on the description, likely allows attackers to inject arbitrary client‑side scripts into the output of the WordPress QR Code for WooCommerce plugin by supplying malicious input. Based on the description, the likely attack vector is an attacker who can lure a site visitor to a crafted URL or form submission that triggers execution of their code in the victim’s browser. This could lead to session hijacking, credential theft, defacement of the site, or redirection to phishing sites. Since the attack code runs in the context of the plugin’s page, the impact is primarily on the integrity and confidentiality of user data accessed by the victim’s browser.

Affected installations are those running the Bappa Mal QR Code for WooCommerce WordPress plugin version 1.2.0 or earlier. The plugin is commonly used in WooCommerce stores to generate QR codes for products or checkout pages. Any site that has not upgraded beyond 1.2.0 remains vulnerable. Administrators should verify the installed version and apply the fix.

The CVSS score of 7.1 indicates a high severity, and the EPSS score of less than 1% suggests low current exploitation probability, although the flaw has no known public exploit. Because it is a reflected XSS, the exploitation requires an attacker to entice a user to visit a malicious link or submit crafted data. The vulnerability is not listed in CISA’s KEV catalog, so it is not known as an actively exploited threat at present. Nonetheless, the simplicity of the attack path warrants prompt remediation.