CVE-2026-1986
Reflected XSS in FloristPress Woo Plugin via noresults Parameter
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bakkbone | florist_companion | to 7.8.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1986 is a Reflected Cross-Site Scripting (XSS) vulnerability in the FloristPress for Woo β Customize your eCommerce store for your Florist plugin for WordPress. It affects all versions up to and including 7.8.2. The vulnerability arises because the plugin does not properly sanitize and escape user-supplied input in the 'noresults' parameter.
This allows unauthenticated attackers to inject arbitrary web scripts into pages by tricking users into clicking on malicious links. When a user interacts with such a crafted link, the injected script executes in their browser, potentially leading to unauthorized actions or data theft.
The issue was fixed in version 7.8.3 by sanitizing the input using WordPress's wp_kses() function, which restricts allowed HTML tags and attributes, preventing malicious script injection.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts in the context of your website users' browsers without authentication.
- Attackers can steal sensitive information such as cookies, session tokens, or other private data.
- It can lead to unauthorized actions performed on behalf of users, such as changing settings or making purchases.
- It can damage your website's reputation and trustworthiness if users are exposed to malicious content.
- Users may be redirected to malicious sites or have malware installed via the injected scripts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the FloristPress for Woo β Customize your eCommerce store for your Florist plugin for WordPress, specifically via the 'noresults' parameter in versions up to 7.8.2.
To detect this vulnerability on your system, you can test if the 'noresults' parameter in the plugin's frontend suburb search feature is vulnerable by sending crafted HTTP requests containing script payloads in the 'noresults' parameter and observing if the script executes in the response.
For example, you can use curl commands to send requests with a script payload in the 'noresults' parameter and check if the response contains unsanitized script code.
- curl -G --data-urlencode "noresults=<script>alert('XSS')</script>" "http://your-wordpress-site/path-to-plugin-endpoint"
- Observe the HTTP response for the presence of the injected script tag without sanitization.
If the script is reflected and executed in the browser, the vulnerability is present.
Note that the vulnerability was fixed in version 7.8.3 by sanitizing the 'noresults' parameter output using WordPress's wp_kses() function.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update the bakkbone-florist-companion WordPress plugin to version 7.8.3 or later, where the vulnerability has been fixed by properly sanitizing user input.
If updating immediately is not possible, consider implementing web application firewall (WAF) rules to block or sanitize requests containing suspicious script payloads in the 'noresults' parameter.
Additionally, educate users to avoid clicking on suspicious links that may exploit this reflected XSS vulnerability.
Ensure that your WordPress installation and all plugins are kept up to date to reduce exposure to known vulnerabilities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a reflected cross-site scripting (XSS) issue that allows unauthenticated attackers to inject arbitrary scripts via the 'noresults' parameter. This can lead to execution of malicious scripts in users' browsers if they are tricked into clicking a crafted link.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, reflected XSS vulnerabilities can potentially lead to unauthorized access to user data or session hijacking, which may impact data privacy and security requirements under such regulations.
Therefore, this vulnerability could negatively affect compliance with data protection regulations by exposing users to risks of data leakage or unauthorized actions, especially if personal or sensitive information is accessible through the affected plugin.
The vulnerability was fixed by sanitizing user input with WordPress's wp_kses() function to prevent script injection, which helps mitigate these risks and improve compliance posture.