CVE-2025-49958 is a reflected Cross-site Scripting vulnerability in the Robokassa payment gateway plugin for WooCommerce (versions ≤ 1.8.6). It results from improper input neutralization during web page generation, enabling attackers to inject and execute malicious scripts via crafted input that is reflected back to users. The vulnerability has a CVSS 3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network exploitable with low complexity, no privileges required, user interaction needed, and impacts confidentiality, integrity, and availability to a limited extent. No patch or official vendor advisory is currently provided, and no known exploitation has been reported.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to theft of sensitive information, session hijacking, or other malicious actions. The vulnerability affects confidentiality, integrity, and availability to a limited degree as indicated by the CVSS vector. However, exploitation requires user interaction and the attacker must lure the victim to a crafted URL or page.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix information is available, users of the Robokassa payment gateway for WooCommerce should monitor vendor communications for updates. Until a fix is released, consider applying temporary mitigations such as input validation or disabling the plugin if feasible. Avoid clicking on suspicious links that could trigger the reflected XSS.