Skip to main content

SeedProd Pro CVE-2026-57617

| EUVDEUVD-2026-39740 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-9499-25wc-w6pm
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Contributor auth required (PR:L), victim must view page (UI:R), scope changes to victim browser (S:C); availability impact assessed as None since XSS does not disrupt service.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 26, 2026 - 16:17 vuln.today
Patch available
Jun 26, 2026 - 16:01 EUVD

DescriptionCVE.org

Contributor Cross Site Scripting (XSS) in SeedProd Pro < 6.19.5 versions.

AnalysisAI

Stored Cross-Site Scripting in SeedProd Pro WordPress plugin (versions below 6.19.5) allows an authenticated Contributor-level user to inject malicious JavaScript that executes in the context of other users' browsers, including administrators. The changed scope (S:C) in the CVSS vector confirms the impact crosses from the plugin's trust boundary into victims' browser sessions, enabling session hijacking, credential theft, or unauthorized administrative actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor account on target site
Delivery
Inject XSS payload via SeedProd Pro page field
Exploit
Victim administrator loads affected page
Execution
Malicious script executes in admin's browser
Impact
Exfiltrate session cookie or perform admin action

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress Contributor-level account (or higher) on the target site - this is PR:L per the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 6.5 (Medium) score reflects a network-accessible, low-complexity attack that requires low privileges (Contributor) and user interaction (a victim must load the affected page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a Contributor account on a SeedProd Pro-enabled WordPress site and injects a malicious JavaScript payload into a page element or field managed by the plugin. When an Administrator or Editor visits the affected page or preview, the script executes in their browser session, potentially exfiltrating authentication cookies or performing privileged actions such as creating a rogue admin account. …
Remediation Upgrade SeedProd Pro to version 6.19.5 or later, which contains the vendor-released patch per Patchstack advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57617 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy