A reflected cross‑site scripting vulnerability exists in the ultimate‑woocommerce‑auction‑pro WordPress plugin versions up to 2.4.5. The flaw arises from an unsanitised parameter that is echoed back to the user interface, allowing an attacker to inject arbitrary JavaScript. When executed against administrators or other privileged users, the injected script could read or modify session data, trigger actions on behalf of the user, or redirect to malicious sites, thereby compromising the confidentiality, integrity, or availability of the admin account.

All installations of Ultimate WooCommerce Auction Pro with versions 2.4.5 or earlier are affected. The plugin is distributed as a WordPress add‑on and may be present in any WordPress site that uses the auction functionality provided by this vendor.

The vulnerability is exploitable through the web interface; an attacker only needs to craft a URL containing the unauthenticated parameter (uwa_manage_auctions) and lure a privileged user to visit it. The CVSS score is not publicly available, and the EPSS score is not listed, suggesting low to moderate prevalence. The vulnerability is not currently listed in the CISA KEV catalog, but its potential to compromise administrator accounts means it should be treated with high priority.