The Ultimate WooCommerce Auction Pro plugin up to version 2.4.5 fails to sanitize and escape user input on the uwa_auctions_bids_list parameter before rendering it back to the browser. This vulnerability allows a malicious user to inject arbitrary scripts that execute in the context of any user who views the affected page, including high‑privilege administrators. The injected script can steal authentication cookies, modify page content, or perform actions on behalf of the user. The weakness corresponds to CWE‑79 (Cross‑Site Scripting).

WordPress sites running the Ultimate WooCommerce Auction Pro plugin version 2.4.5 or earlier. The plugin is distributed by an unnamed vendor under the identifier “ultimate-woocommerce-auction-pro.” No further sub‑version details are supplied; the risk applies to any installation of the plugin not newer than 2.4.5.

Because the flaw is a reflected XSS, an attacker can trigger it by sending a crafted URL or entering malicious data into a form that reflects the input. The exploitation requires only that the victim visit the vulnerable page, which can be accomplished via phishing or social engineering; high‑privilege users such as administrators are the primary target because the injected code runs with their privileges. The EPSS score is unknown and the vulnerability is not listed in the CISA KEV catalog, but the absence of a severity rating does not diminish the risk of privilege escalation within the site. Because the vulnerability is client‑side, it can affect many users in a single session, making the potential impact high for sites that allow administrative access to the vulnerable page.