The flaw in the Import Export For WooCommerce plugin allows an attacker to trick an authenticated administrator into sending a crafted request that injects malicious script into data stored by the plugin. Once stored, the payload runs whenever the affected data is rendered, giving the attacker control over the browser context of any user that later views the data. Such a stored XSS can lead to theft of session cookies or hijacking of user accounts. The weakness is categorized as CWE‑352 for cross‑site request forgery.

The vulnerability affects the WordPress plugin Import Export For WooCommerce from vendor sidngr, in all releases up to and including version 1.6.2. No newer versions are listed as safe, so any installation of these versions remains susceptible.

The CVSS score of 7.1 indicates a moderately high severity, while the EPSS score of less than 1 % suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, implying it has not yet been widely exploited or observed in the field. The likely attack vector requires an attacker to convince an administrator to visit a malicious link or otherwise trigger the import action, after which the stored XSS payload executes for all users who subsequently access the injected content.