CVE-2026-39508
Received Received - Intake
DOM-Based XSS in Advanced Coupons for WooCommerce

Publication date: 2026-04-08

Last updated on: 2026-04-10

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Josh Kohlbach Advanced Coupons for WooCommerce Coupons advanced-coupons-for-woocommerce-free allows DOM-Based XSS.This issue affects Advanced Coupons for WooCommerce Coupons: from n/a through <= 4.7.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39508
EUVD
EUVD-2026-20175
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
josh_kohlbach advanced_coupons_for_woocommerce_coupons to 4.7.1.1 (inc)
rymera_web_co advanced_coupons_for_woocommerce_coupons to 4.7.1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39508 is a Cross Site Scripting (XSS) vulnerability in the WordPress Advanced Coupons for WooCommerce Coupons Plugin versions up to and including 4.7.1.1.

This vulnerability allows attackers to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”that execute when site visitors access the compromised website.

Exploitation requires a user with at least Contributor or Developer privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary for the attack to succeed.

Impact Analysis

This vulnerability can lead to the execution of malicious scripts on your website, which may result in unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.

Because the attack requires user interaction and certain user privileges, it may be limited in scope but can still compromise the integrity and trustworthiness of your website.

Although the vulnerability is considered a moderate risk with a CVSS score of 6.5, no impactful threat has been reported, and it is classified as a low priority by Patchstack.

Users are strongly advised to update to version 4.7.2 or later to mitigate the risk.

Mitigation Strategies

To mitigate the CVE-2026-39508 vulnerability, users should update the Advanced Coupons for WooCommerce Coupons plugin to version 4.7.2 or later, as this version contains the patch for the Cross Site Scripting (XSS) issue.

Additionally, Patchstack offers automated updates for vulnerable plugins, which can facilitate rapid protection against this vulnerability.

Detection Guidance

This vulnerability is a DOM-Based Cross-Site Scripting (XSS) issue in the Advanced Coupons for WooCommerce Coupons plugin up to version 4.7.1.1. Detection typically involves checking the plugin version installed on your WordPress site.

To detect if your system is vulnerable, you can verify the plugin version by running commands to list installed WordPress plugins and their versions.

  • Use WP-CLI to check the plugin version: wp plugin list --status=active
  • Look specifically for 'advanced-coupons-for-woocommerce-coupons' and check if the version is less than or equal to 4.7.1.1.

Additionally, monitoring web traffic for suspicious script injections or unexpected redirects on pages generated by this plugin may help detect exploitation attempts.

Since exploitation requires user interaction with crafted pages or links, scanning for unusual input handling or testing with security tools that simulate XSS payloads on affected pages can also assist in detection.

Compliance Impact

The provided information does not specify any direct impact of this Cross-site Scripting (XSS) vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39508. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart