The GLS Shipping for WooCommerce plugin versions up to 1.4.0 contain a reflected cross-site scripting vulnerability due to improper input neutralization during web page generation. This flaw allows attackers to inject and execute arbitrary scripts in the victim's browser when they interact with crafted input, potentially leading to session hijacking, data theft, or other malicious actions. The vulnerability is remotely exploitable without privileges and requires user interaction. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, reflecting network attack vector, low attack complexity, no privileges required, user interaction needed, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation can lead to execution of arbitrary scripts in the context of the affected website, potentially compromising user sessions, stealing sensitive information, or performing unauthorized actions on behalf of the user. The vulnerability affects confidentiality, integrity, and availability to a limited extent. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or limiting use of the affected plugin version. Employing web application firewalls (WAFs) that detect and block reflected XSS payloads may provide temporary mitigation. Monitor vendor channels for updates and apply patches promptly once available.