Go ahead and disable WooCommerce and comment on a post; you can do the same thing because you’re logged in as admin. Admin users are able to post unfiltered content. If you repeat the test logged out, you’ll notice you’re not able to exploit anything.
See this trac ticket from WordPress https://core.trac.wordpress.org/ticket/33402
And this article on make.wordpress https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html
For future reference, please report security issues responsibly rather than publicly – use https://hackerone.com/automattic