The Jakeii Pesapal Gateway for Woocommerce plugin (version ≤ 2.1.0) suffers from a reflected cross-site scripting vulnerability due to improper input neutralization during web page generation. This flaw allows attackers to inject malicious scripts that execute in the context of the victim's browser, potentially leading to data theft, session hijacking, or other impacts on confidentiality, integrity, and availability. The CVSS v3.1 base score is 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and scope changed.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of a user's browser when interacting with the affected plugin, potentially leading to information disclosure, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability of the affected system or user data.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with untrusted input and consider disabling or limiting use of the affected plugin version. Monitor vendor channels for updates or patches addressing this vulnerability.