The vulnerability involves stored cross‑site scripting that arises from insufficient input sanitization and output escaping of the 'id' parameter in YITH WooCommerce Wishlist. Only authenticated users with Contributor-level or higher privileges can inject malicious scripts via that parameter, and those scripts will be rendered and executed in the browsers of any visitor accessing the affected pages. The execution of the injected code can alter page content and potentially expose the visitors' session or other sensitive data, but the CVE documentation does not explicitly state specific downstream impacts such as data theft or session hijacking.

This flaw affects all releases of the YITH WooCommerce Wishlist WordPress plugin up to and including version 4.5.0, distributed by yithemes under the product name YITH WooCommerce Wishlist. WordPress sites that have imported or otherwise used the 'id' parameter within the plugin in the 4.5.0 or earlier releases are potentially impacted. The vendor documented the issue in the change log for the free version and referenced the affected source file https://plugins.svn.wordpress.org/yith-woocommerce-wishlist/tags/4.5.0/assets/js/unminified/jquery.yith-wcwl.js.

The CVSS score of 6.4 assigns moderate severity to the flaw. The EPSS value of less than 1% indicates a low probability of observed exploitation. The issue is not listed in the CISA KEV catalog. Attackers must first authenticate to the WordPress site as a contributor or higher, then supply a malicious payload via the vulnerable id parameter; the payload will be stored and rendered on subsequent visits by any user, which could lead to cross‑site scripting attacks.