This vulnerability is a reflected XSS flaw caused by improper input neutralization in the WordPress WC Return products plugin. Attackers can embed malicious scripts into input fields or URLs that the plugin reflects back to the browser, enabling execution of arbitrary JavaScript in the victim’s session. The consequence includes session hijacking, credential theft, defacement, or phishing attempts, affecting the confidentiality and integrity of the user’s session but not directly compromising server credentials or executing code on the server.

The flaw is present in WordPress WC Return products plugin versions up to and including 1.5. No specific minor versions are listed; all releases from the earliest available to 1.5 are affected.

The CVSS score of 7.1 indicates a medium‑high severity, yet the EPSS score of < 1% suggests a low probability of exploitation at present. The vulnerability is not catalogued in CISA’s KEV list. Attackers would most likely craft a malicious URL containing arbitrary JavaScript, target a user who visits or is tricked into clicking the link, and gain script execution in that user’s browser. The attack requires that the attacker can persuade a user to load the URL or exploit the plugin’s user interface, which is a fairly common scenario for reflected XSS.