This vulnerability in the Tax Report for WooCommerce plugin (versions <= 2.2) allows reflected cross-site scripting due to improper input neutralization during web page generation. An attacker can craft malicious input that is reflected in the web page without proper sanitization, potentially leading to script execution in the context of the victim's browser. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability at low levels. No official patch or fix is currently documented.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of users visiting affected pages, potentially leading to theft of sensitive information, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability. The reflected nature requires user interaction, such as clicking a crafted link. No known exploits in the wild have been reported to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should exercise caution with untrusted input and consider implementing web application firewall (WAF) rules to detect and block reflected XSS attempts. Monitor vendor channels for updates and apply official patches promptly once released.