The vulnerability is an improper neutralization of input during web page generation, classified as a reflected XSS flaw, which allows an attacker to inject malicious scripts into web pages served by WordPress sites using the License Manager for WooCommerce plug‑in. Because the input is reflected directly in the browser without validation, an attacker can exploit the flaw to execute arbitrary JavaScript in the context of a victim’s browser session, potentially compromising user credentials, defacing the site, or performing phishing attacks. The associated CWE-79 indicates that the weakness lies in input validation and output encoding. The reported CVSS score of 7.1 signals a high severity level, consistent with the potential for significant confidentiality and integrity impacts if an attacker succeeds.

This issue affects the Saad Iqbal License Manager for WooCommerce plugin for WordPress. All installations using version 3.0.9 or earlier are vulnerable. Specific versions are not enumerated beyond the upper bound, so any build from the first release up to and including 3.0.9 is at risk.

The EPSS score of less than 1% indicates a very low probability of exploitation at present, and the plugin is not listed in CISA’s KEV catalog, suggesting that large‑scale attacks have not been observed. Nevertheless, the exploitation path remains straightforward: an attacker crafts a malicious URL containing a script payload that references a parameter processed by the plugin, and lures a WordPress site visitor to click the link or otherwise submit the request. Once executed, the script runs with the privileges of the victim’s browser session. Because this is a reflected flaw, the victim must actively visit the malicious link, which limits the speed of potential attacks but still permits targeted phishing or credential theft campaigns.