A reflected cross‑site scripting flaw in the Better WishList API plugin allows attackers to inject arbitrary JavaScript into pages served to users. This weakness originates from insufficient input sanitization when the plugin renders user-supplied data, exposing sites to session hijacking, credential theft, or defacement. The vulnerability can be triggered via crafted URLs visited by a target user, and does not require authentication. The associated weakness is CWE‑79, indicating a classic XSS scenario with potential compromise of confidentiality and integrity for end‑users.

WordPress sites running the Better WishList API plugin version 1.1.4 or earlier. The plugin is developed by rickonline_nl and is widely used in public e‑commerce WordPress installations. No explicit affected version range is listed beyond "<= 1.1.4", so any deployment of that or earlier releases is susceptible.

The CVSS score of 7.1 reflects the significant user impact, though the EPSS score of less than 1% indicates that widespread exploitation is currently unlikely. The issue is not listed in the CISA KEV catalog, further suggesting low exploitation prevalence. However, the standard attack vector is a Reflected XSS: an attacker can embed malicious code in a link sent via email or embedded in social media, which, when clicked by an unsuspecting site visitor, executes in the victim's browser. No elevated privileges are required, so the risk rests largely on outbound traffic from the victim rather than the host itself.