The vulnerability is a reflected cross‑site scripting flaw where the plugin fails to neutralize malicious input before rendering it in a browser. This weakness, identified as CWE‑79, allows an attacker to inject arbitrary client‑side scripts into pages served to users of the WordPress site. When triggered, the injected script can execute in the victim’s browser context, potentially leading to cookie theft, session hijacking, defacement, or diffusion of other malicious payloads. The impact is confined to the scope of the affected plugin and the user browsing the affected pages, but it can compromise any user who views the compromised output, including administrators and visitors.

The flaw affects the WordPress plugin Product Excel Import Export & Bulk Edit for WooCommerce developed by WPFactory. Versions from the initial release through 4.7 are known to be vulnerable. Any WordPress installation that has this plugin installed and enabled in these versions is susceptible unless mitigated by an update or other controls.

The CVSS score of 7.1 indicates a high severity for this reflected XSS flaw, while the EPSS score of less than 1% suggests it is currently considered a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Distinguishing a clear attack vector requires an attacker to supply crafted input that is echoed by the plugin; this can typically be carried out by sending a malicious link or submitting a form that contains the vulnerable parameter. The likelihood of exploitation remains contingent on the plugin’s usability and exposure to public access.