This vulnerability involves improper input sanitization in the impleCode Product Catalog Simple plugin, specifically in the post-type-x functionality, leading to stored cross-site scripting (XSS). An attacker with low privileges can inject malicious scripts that are stored and executed when other users view the affected pages. The vulnerability affects all versions up to 1.8.1. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, low privileges required, user interaction needed, and partial impact on confidentiality, integrity, and availability.

Successful exploitation can allow an attacker to execute arbitrary scripts in the context of the affected application, potentially leading to partial disclosure of information, modification of data, or disruption of service. The impact is limited by the requirement for user interaction and low privileges, but the vulnerability can compromise user sessions or perform actions on behalf of users.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting user input in the affected component and applying web application firewall (WAF) rules to detect and block XSS payloads. Monitor vendor channels for updates and apply patches promptly once released.