The identified flaw is a reflected cross‑site scripting vulnerability caused by improper sanitization of user‑supplied data during web page rendering. An attacker can embed a script in a request that is echoed back to the victim’s browser, enabling arbitrary JavaScript execution in the context of the site. Such script execution can be used to steal session cookies, deface content, or conduct phishing attacks. The impact is limited to the victim’s browser and does not affect the server directly, but it can lead to significant client‑side compromise. The weakness is classified as CWE‑79.

This vulnerability affects the WP Wham Crowdfunding for WooCommerce plugin for all releases up to and including version 3.1.12. No other versions are listed as impacted, and the issue is not present in later releases. The affected product is specifically the Crowdfunding for WooCommerce plugin from the WP Wham vendor.

The CVSS score of 7.1 categorizes the issue as high risk, while the EPSS score of <1% indicates that current exploitation probability is low. The vulnerability is not present in CISA’s KEV catalog, reducing the likelihood of widespread exploitation. The probable attack vector involves a crafted URL or form input that an unsuspecting user will visit or submit; the attacker needs the victim to load the page containing the reflected data for the script to run. Because the flaw is client‑side, it requires user interaction and does not enable arbitrary code execution on the server, but it still enables theft of authentication tokens or session hijacking through the victim’s browser.