CVE-2026-57414
Received Received - Intake

Stored XSS in WoowBot WooCommerce Chatbot

Vulnerability report for CVE-2026-57414, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: Patchstack

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot for eCommerce &#8211; WoowBot woowbot-woocommerce-chatbot allows Stored XSS.This issue affects ChatBot for eCommerce &#8211; WoowBot: from n/a through <= 4.6.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack woowbot_woocommerce_chatbot 4.6.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Cross Site Scripting (XSS) issue found in the WordPress ChatBot for eCommerce – WoowBot Plugin, specifically in versions 4.6.1 and earlier.

It occurs due to improper neutralization of input during web page generation, allowing attackers to inject malicious scripts into the website.

These malicious scripts can execute when visitors access the site, potentially causing redirects or displaying unwanted advertisements.

Exploitation requires a privileged user to perform an action such as clicking a malicious link or submitting a form.

Impact Analysis

This vulnerability can lead to attackers injecting malicious scripts that execute in the context of the website.

Such scripts can redirect users to malicious sites, display unwanted advertisements, or perform other harmful actions.

Because the vulnerability requires a privileged user to trigger it, it could lead to unauthorized actions or compromise of user data.

The CVSS score of 6.5 indicates a moderate level of risk, meaning it could be exploited in widespread attacks if not patched.

Users are advised to update to version 4.7.0 or later to mitigate this risk.

Detection Guidance

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WoowBot WooCommerce ChatBot plugin versions 4.6.1 and earlier. Detection typically involves checking the plugin version and monitoring for suspicious script injections or unexpected behavior in web pages generated by the plugin.

To detect if your system is vulnerable, first verify the installed version of the WoowBot plugin. For WordPress, you can use the following command to check the plugin version via WP-CLI:

  • wp plugin list | grep woowbot-woocommerce-chatbot

If the version is 4.6.1 or earlier, the system is vulnerable. Additionally, you can scan your web pages or database for suspicious script tags or payloads that might indicate stored XSS attempts.

Network detection can involve monitoring HTTP traffic for suspicious payloads or script injections targeting the chatbot pages, but no specific commands or signatures are provided in the available resources.

Mitigation Strategies

The immediate recommended mitigation is to update the WoowBot WooCommerce ChatBot plugin to version 4.7.0 or later, where the vulnerability has been fixed.

Until the update can be applied, Patchstack has issued a mitigation rule that can be used to block attacks exploiting this vulnerability.

Additionally, restricting privileged user actions that could trigger the exploit, such as clicking malicious links or submitting untrusted forms, can reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart