An attacker can inject malicious script code into a web page displayed to users. The vulnerability arises from improper neutralization of user‑supplied input when the WooCommerce Fattureincloud plugin generates a page. As a result, an attacker who persuades or tricks a user into visiting a crafted URL can cause the user’s browser to execute arbitrary JavaScript that may steal session cookies, hijack the user’s account, or modify page content. The underlying weakness is a classic reflected XSS flaw (CWE‑79).

The WooCommerce Fattureincloud plugin versions up to and including 2.6.7, supplied by Cristiano Zanca, are affected. The vulnerability impacts any WordPress site that has this plugin installed and processes the vulnerable input fields. No specific WordPress core versions are listed as affected within the entry.

The CVSS score of 7.1 indicates moderate severity. The EPSS score of less than 1% suggests a very low probability that the vulnerability is being actively exploited. The plugin is not listed in the CISA KEV catalog, further implying that no widespread exploitation has been observed. Based on the description, it is inferred that an attacker would need to lure a user to a specially crafted URL that includes malicious input handled by the plugin; therefore the attack likely requires user interaction, but this is an inference. Can be mitigated by disabling the plugin or applying a patch.