The vulnerability identified as CVE-2025-53297 affects the AA-Team Woocommerce Envato Affiliates plugin (version ≤ 1.2.1). It is a reflected cross-site scripting (XSS) issue caused by improper input neutralization during web page generation. This allows attackers to inject and execute arbitrary scripts in users' browsers when they interact with crafted URLs or inputs. The CVSS v3.1 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, no privileges required, user interaction needed, and impacts on confidentiality, integrity, and availability. No patch or mitigation details have been disclosed by the vendor.

Successful exploitation of this vulnerability can result in execution of arbitrary scripts in the context of the affected web application, potentially leading to theft of user credentials, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability. The CVSS score of 7.1 reflects these impacts. However, no known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution when interacting with untrusted inputs or URLs related to the affected plugin. Monitor vendor channels for updates and apply patches promptly once released.