Skip to main content

Pre Order Addon for WooCommerce CVE-2025-26553

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-15 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:31 vuln.today
CVE Published
Mar 15, 2025 - 22:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spring Devs Pre Order Addon for WooCommerce - Advance Order/Backorder Plugin allows Reflected XSS. This issue affects Pre Order Addon for WooCommerce - Advance Order/Backorder Plugin: from n/a through 2.2.

AnalysisAI

Reflected cross-site scripting (XSS) in Pre Order Addon for WooCommerce versions through 2.2 allows remote attackers to execute malicious JavaScript in victim browsers via specially crafted URLs. The vulnerability requires victim interaction (UI:R) and enables cross-site scope (S:C) attacks, potentially leading to session hijacking, credential theft, or malicious actions performed in the context of authenticated WooCommerce administrators. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, with no public exploit code or CISA KEV listing identified. This is a typical stored input validation flaw in WordPress plugin development affecting e-commerce environments.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in a WordPress/WooCommerce plugin that manages pre-order and backorder functionality for online stores. The flaw stems from improper neutralization of user-supplied input during dynamic web page generation, allowing attacker-controlled data to be reflected back to users without adequate sanitization or output encoding. WordPress plugins commonly suffer from XSS when developers fail to use WordPress's built-in escaping functions (esc_html, esc_url, wp_kses) on user input rendered in admin panels or public-facing pages. The vulnerability affects versions through 2.2, indicating longstanding insecure coding practices in input validation and output encoding routines within the plugin's codebase.

Affected ProductsAI

Spring Devs Pre Order Addon for WooCommerce (also marketed as Advance Order/Backorder Plugin) versions from earliest release through version 2.2 are confirmed vulnerable. This WordPress plugin integrates with WooCommerce to provide pre-order and backorder management capabilities for online stores. The vulnerability was reported by Patchstack's security audit team, indicating discovery through third-party security research rather than vendor disclosure. Administrators should verify their installed version via WordPress admin dashboard under Plugins section (plugin slug: wc-pre-order).

RemediationAI

Immediately update Pre Order Addon for WooCommerce to version 2.3 or later if available, referencing the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wc-pre-order/vulnerability/wordpress-pre-order-addon-for-woocommerce-plugin-1-0-7-reflected-cross-site-scripting for patched version confirmation. If no patched version exists or immediate patching is infeasible, implement these compensating controls: (1) Disable the plugin entirely if pre-order functionality is not business-critical-this eliminates attack surface but removes all pre-order capabilities; (2) Restrict plugin access to trusted administrator IPs via WordPress firewall rules or .htaccess (limits who can trigger the vulnerability but does not prevent social engineering of authorized admins); (3) Deploy web application firewall (WAF) rules to detect and block common XSS payloads in HTTP parameters, though this provides incomplete protection against obfuscated attacks and may cause false positives blocking legitimate admin actions. Educate administrators never to click untrusted links while logged into WordPress admin panel.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2025-26553 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy