Wordpress Plugin Hacking???

can someone clear this up for me I don't understand when I scan my site with wpscan and it say a certain plugin is vulnerable I dunno say for example woocommerce - v2.3.13 how would you use this vulnerability if you don't actually have access to to it say for example http://site.com/wp-content/plugins/woocommerce/.....vulnerable to xss but if you try to go to the site plugin it forbidden so how can it be vulnerable if its forbidden???or you don't have access to it??