CVE-2026-27363
Received Received - Intake
Stored XSS in WP Bakery Autoresponder Addon

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon allows Stored XSS.This issue affects WP Bakery Autoresponder Addon: from n/a through <= 1.0.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27363
EUVD
EUVD-2026-9625
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
kamleshyadav vc_autoresponder_addon to 1.0.6 (inc)
kamleshyadav vc-autoresponder-addon to 1.0.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27363 is a Stored Cross-Site Scripting (XSS) vulnerability in the WP Bakery Autoresponder Addon Plugin for WordPress, versions up to and including 1.0.6.

This vulnerability allows an attacker to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”that execute when site visitors access the compromised pages.

Exploitation requires user interaction by a privileged user, such as clicking a malicious link, visiting a crafted page, or submitting a form, although the initial attack vector can be initiated by an unauthenticated user.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to attackers executing malicious scripts on your website, which can result in unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads.'}, {'type': 'paragraph', 'content': "Such attacks can compromise the security and integrity of your website, potentially harming your users and damaging your site's reputation."}, {'type': 'paragraph', 'content': 'Since exploitation requires interaction by a privileged user, attackers might trick administrators or other high-privilege users into triggering the malicious scripts.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects the WP Bakery Autoresponder Addon Plugin versions up to and including 1.0.6. Detection involves identifying if this plugin version is installed on your WordPress site.

Since the vulnerability is a Stored Cross-Site Scripting (XSS), monitoring for unusual or malicious script injections in web pages generated by the plugin can help detect exploitation attempts.

No specific commands are provided in the available resources for direct detection on network or system level.

Mitigation Strategies

There is no official patch available for this vulnerability as of now.

Patchstack has issued a mitigation rule to block attacks targeting this vulnerability. Users are advised to apply Patchstack’s mitigation measures immediately to protect their websites.

Additionally, monitoring and restricting user inputs and interactions that could trigger the vulnerability, especially from privileged users, can help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27363. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart