Impact
This vulnerability is an Improper Neutralization of Input During Web Page Generation that allows a reflected cross‑site scripting flaw in the WordPress RVCFDI para Woocommerce plugin. An attacker can inject arbitrary JavaScript into a page, potentially enabling session hijacking, defacement, or credential theft against users who visit the crafted link.
Affected Systems
The issue affects the realvirtualmx RVCFDI para Woocommerce plugin on WordPress installations, specifically all releases from the initial version up to and including 8.1.8.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity level, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not currently listed in the CISA KEV catalog. Since it is a reflected XSS flaw, the likely attack vector involves a malicious URL or form submission that the site reflects back to the user without proper sanitization.
OpenCVE Enrichment