The WooCommerce plugin for WordPress has a stored cross-site scripting (XSS) vulnerability due to its product import functionality, which allows an attacker to exploit cross-site request forgery (CSRF) and inject malicious HTML into product descriptions. The importer uses the `call_user_func()` function to process steps in sequence, but only protects the first step with a nonce. An attacker can bypass this protection by manipulating the `$this->step` variable to call functions from other steps directly, allowing them to import products with unsanitized HTML. Furthermore, the `import()` function localizes and enqueues JavaScript variables controlled by an attacker, which leads to CSRF when sent in an AJAX request to the WordPress backend. This vulnerability can lead to stored XSS, arbitrary JavaScript execution, and potential PHP code execution on remote servers if not patched.