Skip to main content

Product Feed Manager EUVDEUVD-2026-44863

| CVE-2026-15306 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-16 Wordfence GHSA-xw2w-9955-6f5w
6.1
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS requiring no privileges; UI:R because victim must click; S:C because script executes in victim's browser context outside plugin scope.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 04:46 vuln.today
CVE Published
Jul 16, 2026 - 03:44 cve.org
MEDIUM 6.1

DescriptionCVE.org

The Product Feed Manager For WooCommerce - Sell on 200+ Online Marketplaces plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 's' Search Parameter in all versions up to, and including, 7.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

AnalysisAI

Reflected Cross-Site Scripting in the Product Feed Manager For WooCommerce WordPress plugin (all versions through 7.6.1) allows unauthenticated remote attackers to inject arbitrary JavaScript via the unescaped 's' search parameter, which executes in a victim's browser upon interaction with a crafted link. The vulnerability is rooted in insufficient sanitization and output escaping within the plugin's admin-facing PHP classes, as confirmed by Wordfence with direct source code references to class-rex-product-feed-actions.php and class-rex-product-feed.php. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with plugin ≤7.6.1
Delivery
Craft URL with XSS payload in 's' parameter
Exploit
Phish authenticated admin via link
Execution
Admin clicks malicious URL
Persist
Reflected script executes in admin browser
Impact
Steal session cookie or perform admin actions

Vulnerability AssessmentAI

Exploitation The Product Feed Manager For WooCommerce plugin must be installed and active on the target WordPress site running a version at or below 7.6.1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.1 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N reflects the key trade-off: the vulnerability is trivially exploitable over the network without authentication, but requires a victim to actively click a crafted link, limiting opportunistic mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running the vulnerable Product Feed Manager plugin, crafts a URL containing a malicious JavaScript payload embedded in the 's' search parameter pointing to the plugin's admin search page, and delivers it to a site administrator via phishing email or social media. When the administrator clicks the link while authenticated, the unsanitized parameter is reflected back into the page HTML and the script executes in their browser, potentially exfiltrating the admin session cookie or performing unauthorized actions on the WordPress backend. …
Remediation A code-level fix has been committed to the WordPress plugin repository SVN as changeset 3607243 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3607243%40best-woocommerce-feed&new=3607243%40best-woocommerce-feed), indicating upstream remediation is available; however, the exact released plugin version incorporating this fix is not independently confirmed from the provided data - users should update to the latest version available on WordPress.org and verify it is higher than 7.6.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44863 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy