An attacker can inject arbitrary JavaScript into the output of the WooCommerce Vehicle Parts Finder plugin because user‑supplied input is not properly neutralized. The reflected XSS flaw allows malicious code to run in the browser of any user who views the affected page, potentially leading to credential theft, session hijacking, or defacement. This weakness corresponds to CWE‑79.

All sites running wpinstinct’s WooCommerce Vehicle Parts Finder plugin with versions 3.7 or earlier are susceptible. The vulnerability affects the plugin from the earliest available build up through 3.7, meaning that any installation of the plugin that has not been upgraded to a later version is at risk.

The CVSS base score of 7.1 indicates moderate to high severity, but the EPSS score of <1% suggests a low current exploitation probability. The flaw is not listed in the CISA KEV catalog, and it is remote and does not require authentication; an attacker only needs to lure a victim to a crafted URL containing malicious query parameters. Consequently, while the potential impact is significant, the likelihood of widespread exploitation is presently low, but should not be ignored.