Impact
The Ultimate WooCommerce Auction Pro plugin for WordPress through version 2.4.5 contains an unsanitized, unescaped parameter named uwa_auctions_bids_list. When the plugin outputs this value without filtering, malicious code supplied by an attacker is reflected in the browser. Because the output is rendered client‑side, the flaw allows an attacker to inject and execute arbitrary JavaScript in the context of any user who views the affected page, potentially capturing session cookies or performing actions on behalf of administrators.
Affected Systems
WordPress sites that have installed the Ultimate WooCommerce Auction Pro plugin version 2.4.5 or earlier are affected. The plugin, identified internally as ultimate-woocommerce-auction-pro, is distributed by an unnamed vendor; any installation that has not upgraded past 2.4.5 remains vulnerable.
Risk and Exploitability
The vulnerability is client‑side and can be triggered by visiting a URL or submitting an input that contains a crafted uwa_auctions_bids_list value. The attack vector is inferred from the description, which notes that it could be used against high‑privilege users. With a CVSS score of 6.1, the flaw represents moderate severity. EPSS is not reported, and the issue is not in the CISA KEV catalog, so the likelihood of active exploitation is unknown. Nonetheless, the primary risk is execution of attacker‑supplied script in the victim’s browser, opening the door to privilege escalation, session hijacking, or defacement if an admin or other privileged user views the page.
OpenCVE Enrichment