The vulnerability is an instance of Improper Neutralization of Input During Web Page Generation (CWE‑79), allowing attackers to inject malicious scripts into pages rendered by the MC Woocommerce Wishlist plugin. Because the plugin reflects unsanitized user input back to the browser, an attacker can execute arbitrary JavaScript in the context of a victim’s browser session, potentially leading to cookie theft, session hijacking, defacement, or the delivery of malware. This flaw resides in the plugin’s handling of user‑supplied data during wishlist generation and does not require elevated privileges on the site.

Affected systems are WordPress sites that have installed the Moreconvert Team MC Woocommerce Wishlist (Smart Wishlist for More Convert) plugin at version 1.9.1 or earlier. Versions before the introduced release (n/a) and up to 1.9.1 inclusive are impacted. The plugin is commonly embedded in e‑commerce themes that rely on WooCommerce.

The CVSS score of 7.1 highlights the significant impact of this flaw, and an EPSS score of < 1% indicates that, at present, it is unlikely to be actively exploited, and it is not currently listed in the CISA KEV catalog. The attack chain is likely initiated by an attacker crafting a malicious URL or input that triggers the reflected XSS. The vulnerability is publicly known, and an attacker can exploit it without authentication if the plugin endpoint is publicly accessible. Because it is a client‑side flaw, the impact is confined to the victim’s browser, but the damage potential is high.