The WP Wham SKU Generator for WooCommerce plugin versions up to 1.6.2 contain a reflected cross-site scripting vulnerability due to improper input neutralization during web page generation. This flaw allows attackers to inject malicious scripts that execute in users' browsers when they interact with crafted web pages involving the plugin. The vulnerability is remotely exploitable without privileges and requires user interaction. It impacts confidentiality, integrity, and availability to a limited extent, as reflected by a CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L). No patch or official remediation guidance is currently available from the vendor, and no exploits have been observed in the wild.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of a victim's browser, potentially leading to theft of sensitive information, session hijacking, or other malicious actions affecting confidentiality, integrity, and availability. The reflected nature of the XSS requires user interaction to trigger the attack. There are no known active exploits reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling or removing the affected plugin version or applying any recommended temporary mitigations from the vendor. Avoid interacting with untrusted links that might trigger the reflected XSS vulnerability.