The vulnerability is an improper neutralization of input during web page rendering that allows an attacker to inject arbitrary JavaScript into pages generated by the WooCommerce Photo Reviews plugin. Based on the description, it is inferred that attackers can perform this injection by accessing affected pages, which can lead to defacement, cookie theft, phishing, or other malicious actions executed in the context of legitimate users. The weakness is a classic input validation flaw categorized as CWE‑79.

WordPress sites using the WooCommerce Photo Reviews plugin from villatheme, versions up to and including 1.3.13, are affected. Users should verify their plugin version and upgrade if it falls within this range.

The CVSS score of 7.1 signifies a moderate severity flaw. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could exploit this remotely by visiting a page that renders untrusted data from the plugin, with no local privileges required. Proper input sanitization and validation are the core preventive measures according to the identified CWE.