CVE-2026-27354
Stored XSS in WooCommerce Coming Soon Product Plugin
Publication date: 2026-03-05
Last updated on: 2026-03-06
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webcodingplace | woo_coming_soon_product | From 5.0|end_including=5.0 (inc) |
| webcodingplace | woo_coming_soon_product_with_countdown | to 5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27354 is a medium severity Cross Site Scripting (XSS) vulnerability affecting the WordPress WooCommerce Coming Soon Product with Countdown Plugin versions 5.0 and below.
This vulnerability allows a malicious actor to inject and execute arbitrary scriptsβsuch as redirects, advertisements, or other HTML payloadsβon affected websites when visitors access the compromised pages.
Exploitation requires user interaction by a privileged user (e.g., subscriber or developer role) performing actions like clicking a malicious link, visiting a crafted page, or submitting a form.
How can this vulnerability impact me? :
This vulnerability can lead to the execution of arbitrary scripts on your website, which may result in unauthorized redirects, display of unwanted advertisements, or other malicious HTML payloads.
Such exploitation can compromise the integrity and trustworthiness of your website, potentially harming your users and damaging your reputation.
Since exploitation requires interaction by a privileged user, attackers might leverage this to escalate their access or perform further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) in the WooCommerce Coming Soon Product with Countdown plugin, which allows injection and execution of arbitrary scripts when affected pages are accessed.
Detection typically involves monitoring for suspicious script injections or unusual HTML payloads on web pages generated by the plugin, especially those accessible by privileged users.
Since no official patch is available, and the vulnerability requires user interaction, network or system detection can include inspecting HTTP requests and responses for injected scripts or unexpected payloads.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying the Patchstack mitigation rule designed to block attacks exploiting this vulnerability.
Since no official patch is currently available, users are advised to implement this mitigation to protect their websites until a safe patch is released.
Additionally, restricting privileged user interactions and monitoring for suspicious activity can help reduce risk.