This vulnerability affects IP2Location Variables up to version 2.9.5 and involves a CSRF flaw that can be leveraged to perform reflected XSS attacks. The vulnerability allows an attacker to trick a user into submitting unauthorized requests, potentially leading to information disclosure or manipulation of application state. The CVSS 3.1 base score of 7.1 reflects network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and impacts on confidentiality, integrity, and availability.

Successful exploitation could allow attackers to execute unauthorized actions on behalf of authenticated users and inject malicious scripts via reflected XSS, potentially leading to data exposure, session hijacking, or other impacts on confidentiality, integrity, and availability. However, no known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing CSRF protections such as anti-CSRF tokens and input validation to mitigate reflected XSS risks. Monitor vendor communications for updates on patches or official mitigations.