CVE-2026-6725
Stored XSS in WPC Smart Messages WooCommerce Plugin
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpclever | wpc_smart_messages_for_woocommerce | to 4.2.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6725 is a Stored Cross-Site Scripting (XSS) vulnerability in the WPC Smart Messages for WooCommerce WordPress plugin. It occurs due to insufficient input sanitization and output escaping of the 'text' attribute in the wpcsm_text_rotator shortcode. Authenticated users with contributor-level access or higher can inject malicious scripts into pages, which then execute whenever other users view those pages.
How can this vulnerability impact me? :
This vulnerability allows attackers with contributor-level access to inject arbitrary web scripts into the website. These scripts can execute in the browsers of users who visit the affected pages, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions. Because the attack is stored, the malicious code persists and affects all users accessing the injected content.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the WPC Smart Messages for WooCommerce plugin is installed and running a vulnerable version (up to and including 4.2.8). Since the vulnerability is a Stored Cross-Site Scripting via the 'text' attribute of the wpcsm_text_rotator shortcode, detection can include searching for usage of this shortcode with suspicious or malicious script content.
You can check the installed plugin version via WordPress CLI with the command: wp plugin list | grep wpc-smart-messages
To detect potential exploitation attempts or injected scripts, you might search the WordPress database for instances of the shortcode containing suspicious script tags, for example using a MySQL query:
- SELECT * FROM wp_posts WHERE post_content LIKE '%[wpcsm_text_rotator%<script%'
Additionally, monitoring HTTP requests for unusual payloads or script injections targeting pages that use this shortcode can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WPC Smart Messages for WooCommerce plugin to a fixed version beyond 4.2.8, such as version 4.2.9 or later, where the vulnerability has been patched.
If immediate updating is not possible, restrict contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with contributor-level access or above to exploit.
Review and sanitize any existing content using the wpcsm_text_rotator shortcode to remove any injected scripts.
Implement Web Application Firewall (WAF) rules to block suspicious payloads targeting this shortcode or script injection attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-6725 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.