The Robokassa payment gateway plugin for WooCommerce versions up to 1.6.1 contains a reflected cross-site scripting vulnerability due to improper input neutralization during web page generation. This flaw allows attackers to inject malicious scripts that could be executed in the context of the victim's browser, potentially leading to information disclosure, session hijacking, or other impacts affecting confidentiality, integrity, and availability. The vulnerability is remotely exploitable without privileges and requires user interaction. The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). No patch or official remediation information is provided in the available data.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected web application, potentially leading to partial loss of confidentiality, integrity, and availability of the affected system or user data. The reflected XSS could be used to steal user credentials, perform actions on behalf of users, or disrupt service. However, no known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or limiting use of the affected plugin version and apply web application firewall (WAF) rules to detect and block reflected XSS attempts. Monitor vendor communications for updates on patches or official mitigations.