The WP e-Commerce Style Email plugin for WordPress, developed by Jacob Schwartz, contains a reflected cross-site scripting vulnerability identified as CVE-2024-52462. This vulnerability is due to improper neutralization of input during web page generation, enabling attackers to inject malicious scripts that are reflected in the web response. The affected versions include all releases up to and including 0.6.2. The CVSS v3.1 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability. There is no vendor advisory or patch information currently available, and no known exploits in the wild have been reported.

Successful exploitation of this reflected XSS vulnerability can allow attackers to execute arbitrary scripts in the context of the affected web application, potentially leading to partial disclosure of sensitive information, modification of data, and disruption of service. The CVSS score reflects these impacts as low confidentiality, integrity, and availability impacts. Since the vulnerability requires user interaction and is exploitable remotely without privileges, it poses a significant risk to users of the affected plugin versions.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the WP e-Commerce Style Email plugin if feasible. Additionally, applying web application firewall (WAF) rules to detect and block reflected XSS attempts may help mitigate risk. Monitor vendor channels for updates and apply patches promptly once available.