Improper neutralization of user input during web page generation in WP Swings Wallet System for WooCommerce enables an attacker to inject malicious scripts into a page viewed by an end user. The vulnerability is a Cross‑Site Scripting flaw (CWE‑79). Based on the description, the likely attack vector is reflected requests such as crafted URLs or form inputs that cause the script to run in the victim’s browser, potentially compromising the integrity of the page or enabling unauthorized actions performed under the user's context.

WordPress sites deploying the WP Swings Wallet System for WooCommerce plugin. All releases from the beginning of the plugin’s life up to and including version 2.6.8 are affected. The issue does not affect later releases such as 2.6.9 and above.

The CVSS base score of 7.1 indicates moderate‑to‑high severity, while the EPSS score of less than 1 % suggests that exploitation is unlikely but possible. The vulnerability is not listed in the CISA KEV catalog, implying no verified widespread exploitation is publicly documented. Based on the description, the likely attack vector involves reflected requests via malicious links or form submissions that deliver executable code to the victim’s browser. Successful exploitation typically requires the user to interact with these inputs. Although the CVE does not specify particular consequences, reflected XSS commonly permits attackers to run arbitrary JavaScript in the user’s context, which could affect confidentiality and integrity of data displayed in the browser.