Pre Order Addon for WooCommerce CVE-2025-26553
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spring Devs Pre Order Addon for WooCommerce - Advance Order/Backorder Plugin allows Reflected XSS. This issue affects Pre Order Addon for WooCommerce - Advance Order/Backorder Plugin: from n/a through 2.2.
AnalysisAI
Reflected cross-site scripting (XSS) in Pre Order Addon for WooCommerce versions through 2.2 allows remote attackers to execute malicious JavaScript in victim browsers via specially crafted URLs. The vulnerability requires victim interaction (UI:R) and enables cross-site scope (S:C) attacks, potentially leading to session hijacking, credential theft, or malicious actions performed in the context of authenticated WooCommerce administrators. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, with no public exploit code or CISA KEV listing identified. This is a typical stored input validation flaw in WordPress plugin development affecting e-commerce environments.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in a WordPress/WooCommerce plugin that manages pre-order and backorder functionality for online stores. The flaw stems from improper neutralization of user-supplied input during dynamic web page generation, allowing attacker-controlled data to be reflected back to users without adequate sanitization or output encoding. WordPress plugins commonly suffer from XSS when developers fail to use WordPress's built-in escaping functions (esc_html, esc_url, wp_kses) on user input rendered in admin panels or public-facing pages. The vulnerability affects versions through 2.2, indicating longstanding insecure coding practices in input validation and output encoding routines within the plugin's codebase.
Affected ProductsAI
Spring Devs Pre Order Addon for WooCommerce (also marketed as Advance Order/Backorder Plugin) versions from earliest release through version 2.2 are confirmed vulnerable. This WordPress plugin integrates with WooCommerce to provide pre-order and backorder management capabilities for online stores. The vulnerability was reported by Patchstack's security audit team, indicating discovery through third-party security research rather than vendor disclosure. Administrators should verify their installed version via WordPress admin dashboard under Plugins section (plugin slug: wc-pre-order).
RemediationAI
Immediately update Pre Order Addon for WooCommerce to version 2.3 or later if available, referencing the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wc-pre-order/vulnerability/wordpress-pre-order-addon-for-woocommerce-plugin-1-0-7-reflected-cross-site-scripting for patched version confirmation. If no patched version exists or immediate patching is infeasible, implement these compensating controls: (1) Disable the plugin entirely if pre-order functionality is not business-critical-this eliminates attack surface but removes all pre-order capabilities; (2) Restrict plugin access to trusted administrator IPs via WordPress firewall rules or .htaccess (limits who can trigger the vulnerability but does not prevent social engineering of authorized admins); (3) Deploy web application firewall (WAF) rules to detect and block common XSS payloads in HTTP parameters, though this provides incomplete protection against obfuscated attacks and may cause false positives blocking legitimate admin actions. Educate administrators never to click untrusted links while logged into WordPress admin panel.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today