The vulnerability is an improper neutralization of input during web page generation in the ThemeWarriors WhatsApp Chat for WordPress and WooCommerce plugin (tw-whatsapp-chat-rotator) that permits reflected cross‑site scripting. An attacker can inject malicious JavaScript into the page that is rendered, potentially enabling credential theft, session hijacking or malicious redirects. The injected code will execute with the privileges of the user’s browser, compromising the confidentiality and integrity of site users. This flaw is identified as CWE‑79. Based on the description, it is inferred that the attacker can inject a reflected XSS payload via user‑supplied data that is not properly neutralized when rendering a page.

Any WordPress site that has installed the ThemeWarriors WhatsApp Chat for WordPress and WooCommerce plugin (tw-whatsapp-chat-rotator) version 1.2.1 or earlier is affected. The CVE does not specify a fixed version, so the status of later releases remains unknown.

The high CVSS score of 7.1 and the very low EPSS score of <1% indicate that while the flaw can cause significant damage, it is unlikely to be widely exploited currently. The vulnerability is not listed in CISA's KEV catalog. To trigger the flaw, a user must visit a crafted URL or submit manipulated input that the plugin reflects on the page. The injected script runs in the victim’s browser context, granting the attacker the victim’s privileges. The attack vector is likely a reflected XSS via user supplied parameters; this is an inference from the description as the specific input channels are not detailed.