The identified flaw allows a Reflected Cross‑Site Scripting (XSS) attack in the WordPress Easy Woocommerce Customizer plugin. The vulnerability stems from inadequate neutralization of user input during page rendering, classifying it as a CWE‑79 weakness. Exploitation can cause an attacker’s script to run in the victim’s browser, potentially leading to session hijacking, credential theft, or defacement of the site.

Any WordPress installation that includes themebon Easy Woocommerce Customizer plugin version 1.0.2 or earlier is affected. The vulnerability is active across all unsupported releases from the earliest version up to and including 1.0.2, impacting sites that have not applied the subsequent update.

The CVSS score of 7.1 indicates a medium severity level. EPSS < 1% suggests a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Based on the nature of the flaw, the likely attack vector is via a crafted URL or form input that is reflected back in the generated page, allowing an attacker to deliver malicious scripts to unsuspecting users. The impact is confined to client‑side execution and does not provide direct remote code execution on the server.