An improperly neutralized user supplied value is reflected in an output page without sufficient sanitization, creating a reflected cross‑site scripting vulnerability in the Robokassa payment gateway for Woocommerce plugin. When an attacker supplies malicious input that is echoed back to the browser, the victim’s browser will execute the injected script, which can lead to theft of session cookies, defacement or redirect to malicious sites. This weakness is identified as CWE‑79 and poses a threat to the confidentiality of user data and the integrity of the site’s interface.

WordPress sites that use the Robokassa payment gateway for Woocommerce plugin , any version from the first release through and including 1.8.6 are affected.

The vulnerability carries a CVSS score of 7.1, indicating moderate to high severity. The EPSS score is under 1 %, suggesting a low probability of exploitation at present. It is not listed in the CISA KEV catalog. Likely exploitation would involve an attacker convincing a user to click a crafted link that contains the malicious payload, or by posting a comment or form submission if the input is echoed. Once the user visits the vulnerable page, the script runs in the user’s browser context.