The ACL Floating Cart for WooCommerce plugin (versions <= 0.9) suffers from a reflected cross-site scripting vulnerability due to improper input neutralization during web page generation. This flaw allows attackers to inject malicious scripts that execute in the context of users visiting affected pages. The vulnerability has a CVSS 3.1 base score of 7.1, reflecting its high severity and potential impact on confidentiality, integrity, and availability. No vendor advisory or patch information is currently available, and the plugin is not a cloud service, so remediation depends on the vendor releasing an update.

Successful exploitation of this reflected XSS vulnerability could allow attackers to execute arbitrary JavaScript in the browsers of users interacting with the affected plugin, potentially leading to session hijacking, information disclosure, or other client-side impacts. The CVSS vector indicates that exploitation requires user interaction but no privileges or authentication. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the affected plugin version to mitigate risk. Monitor the vendor's channels for updates or patches addressing this vulnerability.