Skip to main content

BEAR EUVDEUVD-2026-40096

| CVE-2026-57320 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-29 Patchstack GHSA-w5v2-p57c-3889
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network XSS (PR:N, AV:N, AC:L) requiring victim interaction (UI:R); script runs in a different security scope (S:C) with limited browser-context C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 15:15 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in BEAR <= 1.1.8 versions.

AnalysisAI

Reflected/stored cross-site scripting in the WordPress plugin BEAR (realmag777's WooCommerce Bulk Editor and Products Manager, woo-bulk-editor) version 1.1.8 and earlier allows an unauthenticated remote attacker to inject malicious script that executes in a victim's browser when the victim is lured to interact with a crafted request. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation that requires user interaction and crosses a security scope boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious XSS payload for BEAR parameter
Delivery
Deliver crafted link or request to victim
Exploit
Victim (admin) interacts and triggers injection
Execution
Script executes in WordPress session context
Impact
Steal session/perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires no attacker authentication (PR:N) but does require victim user interaction (UI:R) - a user, typically an authenticated WordPress administrator using the BEAR/woo-bulk-editor interface, must be induced to load the attacker-crafted request or page. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderate and broadly consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or form submission containing a malicious script payload aimed at a vulnerable BEAR parameter and lures a logged-in WordPress administrator into clicking it. Because exploitation needs no authentication on the attacker's side but does require the victim to interact (UI:R), the script then runs in the admin's browser session, enabling session/cookie theft, admin-action forgery, or injected content. …
Remediation No vendor-released patch version is identified in the available data; the input states only that versions <= 1.1.8 are affected, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/woo-bulk-editor/vulnerability/wordpress-bear-plugin-1-1-8-cross-site-scripting-xss-vulnerability) and upgrade to the first release above 1.1.8 once confirmed by realmag777. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable the BEAR plugin immediately and audit access logs for indicators of compromise. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40096 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy