This vulnerability in PickPlugins Wishlist plugin (<= 1.0.43) involves improper input sanitization leading to stored cross-site scripting (XSS). An attacker can inject malicious scripts that are stored and later executed in the context of other users viewing the wishlist pages. The CVSS 3.1 score of 6.5 reflects medium severity with network attack vector, low complexity, and impacts on confidentiality, integrity, and availability. No patch or official remediation guidance is currently available, and no exploits are known in the wild.

Successful exploitation could allow an attacker to execute arbitrary scripts in the victim's browser when they view the affected wishlist pages. This can lead to information disclosure, session hijacking, or other client-side impacts affecting confidentiality, integrity, and availability. However, no known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider limiting exposure by restricting access to the affected functionality or applying web application firewall (WAF) rules to detect and block suspicious input patterns related to XSS. Monitor vendor channels for updates and apply official fixes promptly once released.