The vulnerability CVE-2025-49947 affects the extendons WooCommerce Registration Fields Plugin - Custom Signup Fields (versions ≤ 3.2.3). It is a reflected Cross-site Scripting (XSS) issue caused by improper neutralization of input during web page generation. This allows attackers to inject malicious scripts that are reflected back to users, potentially leading to information disclosure, session hijacking, or other impacts associated with XSS. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability at a low level. No patch or official remediation guidance is currently provided in the available data.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected web application for users who interact with crafted input. This can lead to partial confidentiality, integrity, and availability impacts such as theft of user credentials, session tokens, or performing actions on behalf of the user. However, exploitation requires user interaction and the vulnerability is limited to reflected XSS scenarios. There are no known active exploits reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting use of the affected plugin to mitigate risk. Monitor vendor channels for updates and apply patches promptly once released. Avoid clicking on suspicious links that could trigger reflected XSS attacks in the affected plugin context.