CVE-2024-27994 describes a cross-site scripting vulnerability in the YITH WooCommerce Product Add-Ons plugin (versions ≤ 4.5.0) by YITHEMES. The vulnerability is due to improper neutralization of input during web page generation, which can allow attackers to inject malicious scripts. The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network exploitable with low attack complexity, no privileges required, user interaction needed, scope changed, and impacts on confidentiality, integrity, and availability. No patch or official fix information is provided in the data. The vulnerability is published and assigned by Patchstack, but no known exploits are reported.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected web application, potentially leading to data disclosure, modification, or disruption of service. The CVSS vector indicates impacts on confidentiality, integrity, and availability with a high severity rating. However, no known exploits in the wild have been reported so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users of YITH WooCommerce Product Add-Ons should monitor the vendor's communications for updates. Until a patch is available, consider applying any recommended temporary mitigations from the vendor or limiting exposure by restricting user input or access where feasible.