CVE-2026-57686
Deferred Deferred - Pending Action

Unauthenticated XSS in WowAddons <= 1.6.14

Vulnerability report for CVE-2026-57686, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Patchstack

Description

Unauthenticated Cross Site Scripting (XSS) in WowAddons <= 1.6.14 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
patchstack wowaddons to 1.6.14 (inc)
wowaddons wowaddons to 1.6.14 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress WowAddons Plugin, versions 1.6.14 and below, is vulnerable to a Cross Site Scripting (XSS) attack. This vulnerability allows malicious actors to inject harmful scripts into websites, which can execute when visitors access the site.

The exploit can be initiated by unauthenticated users and requires user interaction, such as clicking a malicious link or visiting a crafted page.

The vulnerability is classified as medium priority with a CVSS severity score of 7.1.

Impact Analysis

This vulnerability can lead to malicious scripts executing in the context of your website when visitors interact with crafted content.

  • It can cause unwanted redirects to malicious sites.
  • It can display unwanted or harmful content to users.

Such actions can harm your website's reputation, compromise user trust, and potentially lead to further security issues.

Detection Guidance

This vulnerability involves Cross Site Scripting (XSS) in the WordPress WowAddons Plugin versions 1.6.14 and below, which can be exploited by unauthenticated users through crafted pages or malicious links.

To detect this vulnerability on your system, you can monitor web traffic for suspicious requests containing script injections targeting the WowAddons plugin endpoints.

While no specific commands are provided in the resources, typical detection methods include using web application firewalls (WAF) with rules to detect XSS payloads, or scanning HTTP requests for suspicious parameters that include script tags or encoded payloads.

You may also use tools like curl or wget to test for XSS by sending crafted requests to the plugin's input fields and observing if the response reflects injected scripts.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WordPress WowAddons Plugin to version 1.6.15 or later, where the issue has been patched.

Until the update can be applied, it is recommended to implement the mitigation rule provided by Patchstack to block attacks targeting this vulnerability.

Additionally, consider using a web application firewall (WAF) to block malicious XSS payloads and monitor for suspicious activity related to the plugin.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57686. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart