This vulnerability in the Custom WP Store Locator plugin (versions <= 1.4.7) allows reflected Cross-site Scripting (XSS) due to improper input neutralization during web page generation. An attacker can craft a malicious URL or input that, when processed by the plugin, results in script execution in the victim's browser. The CVSS 3.1 base score is 7.1, indicating high severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. The vulnerability is publicly disclosed but no patch or mitigation guidance is provided by the vendor.

Successful exploitation could allow an attacker to execute arbitrary scripts in the context of the affected website's users, potentially leading to theft of sensitive information, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability. Since this is a reflected XSS, the attack requires user interaction (e.g., clicking a crafted link). No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling or restricting access to the affected plugin or applying web application firewall (WAF) rules to detect and block reflected XSS payloads targeting this plugin. Monitor official vendor channels for updates and patches.