Skip to main content

WoowBot CVE-2026-57414

| EUVDEUVD-2026-43486 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Stored XSS via authenticated chatbot input; PR:L required for payload submission, UI:R for victim trigger, S:C for cross-user browser impact; A:N as XSS does not cause meaningful availability loss.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:24 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot for eCommerce &#8211; WoowBot woowbot-woocommerce-chatbot allows Stored XSS.This issue affects ChatBot for eCommerce &#8211; WoowBot: from n/a through <= 4.6.1.

AnalysisAI

Stored Cross-Site Scripting in QuantumCloud's WoowBot (ChatBot for eCommerce) WordPress plugin allows authenticated low-privileged users to inject persistent malicious scripts that execute in victims' browsers when stored content is rendered. Versions through 4.6.1 are affected, with a scope change confirmed by the CVSS vector (S:C), meaning attacker-controlled JavaScript runs in the context of other users - including administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register low-privileged WooCommerce account
Delivery
Submit crafted XSS payload via chatbot input
Exploit
Payload stored in database without sanitization
Execution
Admin views chat log in WordPress backend
Persist
Injected script executes in admin browser
Impact
Exfiltrate session token to attacker server

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with at least low-privileged access (PR:L per CVSS) - this is likely a registered WooCommerce customer or WordPress subscriber role, meaning any site with open user registration is at elevated risk. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) is reasonable but the CVSS scope change (S:C) meaningfully elevates real-world impact: a low-privileged user can affect administrator sessions, enabling privilege escalation or site takeover via session hijacking or admin-side script injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses an existing low-privileged WooCommerce customer account and submits a crafted chatbot message containing a JavaScript payload such as a session-cookie stealer. When a site administrator reviews the chat conversation log in the WordPress backend, the stored script executes in their browser, exfiltrating the admin session cookie to an attacker-controlled endpoint and enabling full site takeover. …
Remediation The primary remediation is to update the WoowBot plugin beyond version 4.6.1; however, an exact patched release version is not confirmed in the available intelligence - consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woowbot-woocommerce-chatbot/vulnerability/wordpress-chatbot-for-ecommerce-woowbot-plugin-4-6-1-cross-site-scripting-xss-vulnerability and the WordPress plugin repository for the latest release. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57414 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy