CVE-2026-27354
Received Received - Intake
Stored XSS in WooCommerce Coming Soon Product Plugin

Publication date: 2026-03-05

Last updated on: 2026-03-06

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product allows Stored XSS.This issue affects WooCommerce Coming Soon Product with Countdown: from n/a through <= 5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27354
EUVD
EUVD-2026-9620
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
webcodingplace woo_coming_soon_product From 5.0|end_including=5.0 (inc)
webcodingplace woo_coming_soon_product_with_countdown to 5.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27354 is a medium severity Cross Site Scripting (XSS) vulnerability affecting the WordPress WooCommerce Coming Soon Product with Countdown Plugin versions 5.0 and below.

This vulnerability allows a malicious actor to inject and execute arbitrary scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”on affected websites when visitors access the compromised pages.

Exploitation requires user interaction by a privileged user (e.g., subscriber or developer role) performing actions like clicking a malicious link, visiting a crafted page, or submitting a form.

Impact Analysis

This vulnerability can lead to the execution of arbitrary scripts on your website, which may result in unauthorized redirects, display of unwanted advertisements, or other malicious HTML payloads.

Such exploitation can compromise the integrity and trustworthiness of your website, potentially harming your users and damaging your reputation.

Since exploitation requires interaction by a privileged user, attackers might leverage this to escalate their access or perform further attacks.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves Stored Cross-Site Scripting (XSS) in the WooCommerce Coming Soon Product with Countdown plugin, which allows injection and execution of arbitrary scripts when affected pages are accessed.

Detection typically involves monitoring for suspicious script injections or unusual HTML payloads on web pages generated by the plugin, especially those accessible by privileged users.

Since no official patch is available, and the vulnerability requires user interaction, network or system detection can include inspecting HTTP requests and responses for injected scripts or unexpected payloads.

Specific commands are not provided in the available resources.

Mitigation Strategies

Immediate mitigation involves applying the Patchstack mitigation rule designed to block attacks exploiting this vulnerability.

Since no official patch is currently available, users are advised to implement this mitigation to protect their websites until a safe patch is released.

Additionally, restricting privileged user interactions and monitoring for suspicious activity can help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27354. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart