Improper neutralization of user input during web page generation in the Make Email Customizer for WooCommerce plugin allows an attacker to inject malicious scripts that are reflected back to the user. This reflected XSS (CWE‑79) can be executed in the victim’s browser, potentially enabling session hijacking, cookie theft, defacement, or phishing. The vulnerability only affects client‑side confidentiality and integrity; the attacker cannot directly alter the server state or data. The impact is limited to users who view pages containing the injected input, but it can be leveraged to compromise any session that relies on the plugin’s output.

Excellent Dynamics’ WordPress plugin Make Email Customizer for WooCommerce, versions from the initial release through 1.0.6, is affected. The vulnerability exists in all releases up to and including 1.0.6. No specific WordPress core versions are mentioned, so any WordPress installation running the affected plugin version is vulnerable.

With a CVSS score of 7.1 the vulnerability is considered high impact. The EPSS score is reported as < 1 %, indicating a low probability that exploit code is actively being used, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through reflected input in URLs or form fields that the plugin renders, and no authentication appears to be required to trigger the script. Because it is client‑side, an attacker can manipulate any user who accesses the vulnerable page, but the attack is limited to the victim’s browser context. Nonetheless, due to the broad reach of WordPress sites and the prevalence of this plugin, the vulnerability remains a significant concern for site administrators.