CVE-2026-57356
Deferred Deferred - Pending Action

Unauthenticated XSS in MC WooCommerce Wishlist

Vulnerability report for CVE-2026-57356, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Patchstack

Description

Unauthenticated Cross Site Scripting (XSS) in MC Woocommerce Wishlist <= 1.9.19 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress MC WooCommerce Wishlist Plugin, versions 1.9.19 and below, contains a Cross Site Scripting (XSS) vulnerability. This flaw allows attackers to inject malicious scripts into websites using the plugin. When visitors interact with the site, such as by clicking a malicious link or visiting a crafted page, these scripts can execute harmful actions like redirects or displaying unwanted advertisements.

Impact Analysis

This vulnerability can lead to attackers executing malicious scripts on your website, which may cause unwanted redirects, display of advertisements, or other harmful actions affecting your visitors. Since the vulnerability requires user interaction, attackers might trick users into clicking malicious links or visiting crafted pages. The impact includes potential compromise of user experience, trust, and security on affected websites.

Detection Guidance

The vulnerability is a Cross Site Scripting (XSS) issue in the MC WooCommerce Wishlist Plugin versions 1.9.19 and below. Detection typically involves monitoring for malicious script injections or unusual redirects triggered by user interactions such as clicking crafted links.

While no specific commands are provided, you can detect exploitation attempts by inspecting web server logs for suspicious query parameters or payloads targeting the wishlist plugin endpoints. Additionally, using web application firewalls (WAF) with rules designed to block XSS payloads can help identify attack attempts.

Mitigation Strategies

The immediate recommended step is to update the MC WooCommerce Wishlist Plugin to version 1.9.20 or later, where the vulnerability is patched.

Until the update can be applied, applying the mitigation rule provided by Patchstack to block attack attempts is advised.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57356. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart