Skip to main content

WoodMart CVE-2026-56072

| EUVDEUVD-2026-39724 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-p5jp-3f2p-w428
7.1
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-reachable reflected XSS (PR:N, AV:N, AC:L) requires victim click (UI:R); script crosses into the user session (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:55 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in WoodMart <= 8.5.3 versions.

AnalysisAI

Reflected cross-site scripting in the WoodMart premium WooCommerce/WordPress theme (versions up to and including 8.5.3) allows unauthenticated remote attackers to inject script that executes in a victim's browser when the victim is lured into triggering a crafted request. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 with a changed scope, reflecting impact that crosses from the theme into the user's authenticated session context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious link with XSS payload
Delivery
Lure authenticated victim to click
Exploit
Payload reflected unsanitized in WoodMart page
Execution
Script executes in victim browser
Impact
Steal session/perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to interact with attacker-supplied content (CVSS UI:R) - typically clicking a crafted link or visiting a malicious page that triggers the reflected parameter in WoodMart <= 8.5.3; the attacker themselves needs no authentication (PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base 7.1) indicates a network-reachable, low-complexity, unauthenticated issue that nonetheless requires user interaction (UI:R) - the attacker must convince a victim to click a crafted link or visit a malicious page, which materially lowers real-world likelihood compared to a no-interaction flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL pointing at the vulnerable WoodMart endpoint with a malicious script payload embedded in a reflected parameter, then distributes it via email, social media, or a malicious page. When a store administrator or customer clicks the link while authenticated, the script executes in their browser session, enabling session/cookie theft, request forgery, or content manipulation. …
Remediation Upgrade the WoodMart theme to the first release above 8.5.3 that Patchstack/the vendor identifies as fixed; an exact patched version number was not included in the provided input, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/woodmart/vulnerability/wordpress-woodmart-theme-8-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve) and the XTemos changelog to confirm the fixed build before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress/WooCommerce properties running WoodMart theme versions ≤8.5.3; deploy Web Application Firewall rules blocking reflected XSS payloads targeting theme parameters; enable detailed request logging for security monitoring. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56072 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy