The plugin fails to encode or escape certain user‑supplied input before rendering it back in the browser. This improper neutralization of input – a classic CWE‑79 scenario – permits a reflected XSS attack. By injecting malicious script that is executed in a victim’s context, an attacker can steal session cookies, manipulate the page, or redirect users to phishing sites.

The vulnerability affects the WordPress plugin MyWorks WooCommerce Sync for QuickBooks Online from all unknown earlier releases up to and including version 2.9.1. Users of any site that has installed the plugin in this version range are exposed.

The CVSS score of 7.1 places the flaw in the high‑risk category, indicating that exploitation could significantly harm the user’s confidentiality, integrity and availability. The EPSS score is reported as < 1%, suggesting that the probability of real‑world exploitation is currently low, and the issue is not listed in the CISA KEV catalog. The likely attack path is the construction of a crafted URL or form that includes malicious JavaScript, which is then reflected by the plugin into a page that an unsuspecting user opens. Successful exploitation would require the user to load the resulting page; thus, it is a user‑interaction vulnerability.