The extendons WooCommerce Registration Fields Plugin – Custom Signup Fields contains a reflected Cross‑Site Scripting flaw caused by uncontrolled output of user input when generating registration pages. Attackers can craft input that is echoed back to the browser, allowing arbitrary JavaScript to run in the context of the site visitor’s browser. This can enable session hijacking, cookie theft, and malicious actions performed under the victim’s authority. The vulnerability is a classic injection weakness identified as CWE‑79.

Any WordPress installation that uses the extendons WooCommerce Registration Fields Plugin – Custom Signup Fields, from the earliest release through version 3.2.3, is affected. No further version details are supplied, so all instances of the plugin at or below 3.2.3 must be considered vulnerable.

The flaw has a CVSS base score of 7.1 and an extremely low EPSS (< 1%), indicating that while the potential damage is significant, the likelihood of widespread exploitation is presently low. The vulnerability is not listed in CISA’s KEV catalogue. Exploitation requires a victim to load a maliciously crafted registration form or URL, which an attacker can easily embed in links or webpages. Given the client‑side nature of the flaw, any authenticated or unauthenticated user pointing the browser at a tainted input field could trigger the payload.