This vulnerability in the WooCommerce Sales MIS Report plugin (versions up to 4.0.3) is due to improper input sanitization during web page generation, resulting in a reflected cross-site scripting (XSS) flaw. An attacker can craft malicious input that, when reflected by the plugin, executes arbitrary scripts in the victim's browser session. The CVSS 3.1 base score is 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability at low levels.

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the affected web application, potentially leading to theft of user data, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability at a low level. The reflected nature means the attack requires user interaction (e.g., clicking a crafted link). No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting access to the affected plugin and avoid clicking suspicious links that could trigger reflected XSS. Monitor vendor channels for updates and apply patches promptly once released.