This vulnerability in HasThemes Free WooCommerce Theme 99fy Extension 99fy-core allows stored cross-site scripting due to improper input neutralization during web page generation. It affects versions up to and including 1.2.8. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability at a low level.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected web application, potentially leading to information disclosure, modification of data, or disruption of service. However, exploitation requires user interaction and low privileges, limiting the ease of attack. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution with input handling and consider applying any recommended temporary mitigations from the vendor. Monitor the vendor's channels for updates regarding patches or official fixes.