CVE-2026-39508
DOM-Based XSS in Advanced Coupons for WooCommerce
Publication date: 2026-04-08
Last updated on: 2026-04-10
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| josh_kohlbach | advanced_coupons_for_woocommerce_coupons | to 4.7.1.1 (inc) |
| rymera_web_co | advanced_coupons_for_woocommerce_coupons | to 4.7.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39508 is a Cross Site Scripting (XSS) vulnerability in the WordPress Advanced Coupons for WooCommerce Coupons Plugin versions up to and including 4.7.1.1.
This vulnerability allows attackers to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβthat execute when site visitors access the compromised website.
Exploitation requires a user with at least Contributor or Developer privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary for the attack to succeed.
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious scripts on your website, which may result in unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.
Because the attack requires user interaction and certain user privileges, it may be limited in scope but can still compromise the integrity and trustworthiness of your website.
Although the vulnerability is considered a moderate risk with a CVSS score of 6.5, no impactful threat has been reported, and it is classified as a low priority by Patchstack.
Users are strongly advised to update to version 4.7.2 or later to mitigate the risk.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-39508 vulnerability, users should update the Advanced Coupons for WooCommerce Coupons plugin to version 4.7.2 or later, as this version contains the patch for the Cross Site Scripting (XSS) issue.
Additionally, Patchstack offers automated updates for vulnerable plugins, which can facilitate rapid protection against this vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a DOM-Based Cross-Site Scripting (XSS) issue in the Advanced Coupons for WooCommerce Coupons plugin up to version 4.7.1.1. Detection typically involves checking the plugin version installed on your WordPress site.
To detect if your system is vulnerable, you can verify the plugin version by running commands to list installed WordPress plugins and their versions.
- Use WP-CLI to check the plugin version: wp plugin list --status=active
- Look specifically for 'advanced-coupons-for-woocommerce-coupons' and check if the version is less than or equal to 4.7.1.1.
Additionally, monitoring web traffic for suspicious script injections or unexpected redirects on pages generated by this plugin may help detect exploitation attempts.
Since exploitation requires user interaction with crafted pages or links, scanning for unusual input handling or testing with security tools that simulate XSS payloads on affected pages can also assist in detection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this Cross-site Scripting (XSS) vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.