The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject malicious JavaScript that executes in the victim’s browser. This cross‑site scripting flaw is DOM‑based, meaning the attack code runs within the context of the page without needing to alter server responses. As a result, an attacker can hijack user sessions, deface the site, or redirect users to malicious locations. The likely attack vector is inferred as DOM‑based XSS through injected payloads reflected in the payment interface, where user‑controlled data is displayed without proper sanitization.

Filipe Seabra WooCommerce Parcelas is affected on WordPress installations where the plugin version is 1.3.5 or earlier. The issue applies to all supported releases of WordPress that can host the plugin, regardless of the active theme or additional plugins. Site owners using other versions are not impacted.

The CVSS score of 5.9 places this flaw in the moderate range, but its EPSS of less than 1% indicates a very low current exploitation probability. The vulnerability is listed as not in the CISA KEV catalog. Attackers can exploit this by crafting malicious input that is reflected in the payment interface and then tricking users into visiting the affected page, after which the injected script executes in the user’s browser. The risk is primarily client‑side; it does not provide direct server‑side or code‑execution access but can be leveraged to compromise site users.