CVE-2021-39314: 
WordPress vulnerability analysis and mitigation

The WooCommerce EnvioPack WordPress plugin was identified with a Reflected Cross-Site Scripting vulnerability (CVE-2021-39314). The vulnerability was discovered in versions up to and including 1.2, with the initial record being created on August 20, 2021. The security issue affects the plugin's functionality through the dataid parameter in the ~/includes/functions.php file (NVD, CVE Mitre).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Under CVSS v2.0, it received a Base Score of 4.3 (Medium) with the vector (AV:N/AC:M/Au:N/C:N/I:P/A:N). The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (Wordfence).

The vulnerability allows attackers to inject arbitrary web scripts through the dataid parameter, potentially compromising the security of the website and its users. The CVSS scores indicate that while the vulnerability requires user interaction, it can lead to limited confidentiality and integrity breaches in a changed scope scenario (NVD).

As of the latest information available, no patch has been released for this vulnerability. Users of the WooCommerce EnvioPack WordPress plugin version 1.2 or earlier should consider implementing general XSS protection measures and monitoring for potential updates (NVD).