The vulnerability resides in the Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin, allowing authenticated users with contributor-level access or higher to inject arbitrary scripts via the shortcodes 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit'. This stored cross‑site scripting flaw stems from inadequate input sanitization and output escaping, and the injected scripts execute whenever a visitor accesses a page containing the malicious shortcode. The weakness is identified as CWE‑79, which permits attackers to compromise user browsers, potentially stealing credentials, session data, or installing malware. The impact is confined to the web interface of the affected site and does not provide direct code execution on the server.

The plugin "Cost of Goods: Product Cost & Profit Calculator for WooCommerce" by wpcodefactory is affected in all releases up to and including version 4.1.0. Users must verify the plugin version installed on the WordPress instance and note that contributor‑level or higher accounts are required to exploit the flaw.

The CVSS score of 6.4 categorizes this vulnerability as medium severity. EPSS information is not available, and the flaw is not listed in the CISA KEV catalog, indicating no currently known mass exploitation. The attack vector is inferred to be an authenticated contributor with the ability to edit products or settings, who can insert malicious attributes into the shortcodes. Once injected, the malicious scripts will run in the context of any user who views the affected page, providing a persistent cross‑site scripting vector across site visitors.