This vulnerability (CVE-2025-39537) in Blaze Concepts Better Customer List for WooCommerce plugin versions up to 1.2.3 is a reflected cross-site scripting (XSS) issue caused by improper input neutralization during web page generation. The flaw allows attackers to inject malicious scripts that execute in the context of a victim's browser when they interact with crafted web content. The CVSS 3.1 base score is 7.1, indicating high severity, with attack vector network, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability at a low level. No patch or vendor advisory is currently available, and the plugin is not a cloud service.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected web application, potentially leading to partial disclosure of information, manipulation of data, or disruption of service. The reflected XSS requires user interaction to trigger and does not require authentication or privileges. There are no known active exploits reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting access to the affected plugin to mitigate risk. Monitor vendor channels for updates and apply patches promptly once released.