Skip to main content

Wowaddons

2 CVEs product

Monthly

CVE-2026-57377 MEDIUM This Month

Missing authorization in WPXPO WowAddons WordPress plugin (versions through 1.6.8) enables unauthenticated remote attackers to invoke privileged plugin actions without proper access control checks. Exploitation produces limited integrity and availability impact - unauthorized modification or disruption of plugin-managed content - with no confidentiality exposure confirmed by the CVSS vector. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the zero-privileges-required network vector makes this class of flaw attractive for opportunistic automated scanning once a proof-of-concept surfaces.

Authentication Bypass Wowaddons
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57686 HIGH This Week

Reflected cross-site scripting in the WowAddons (Product Addons) WordPress plugin through version 1.6.14 lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is needed but the victim must be lured into interacting with a crafted request/link, and the scope-change flag reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS was not provided.

XSS Wowaddons
NVD
CVSS 3.1
7.1
EPSS
0.2%
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing authorization in WPXPO WowAddons WordPress plugin (versions through 1.6.8) enables unauthenticated remote attackers to invoke privileged plugin actions without proper access control checks. Exploitation produces limited integrity and availability impact - unauthorized modification or disruption of plugin-managed content - with no confidentiality exposure confirmed by the CVSS vector. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the zero-privileges-required network vector makes this class of flaw attractive for opportunistic automated scanning once a proof-of-concept surfaces.

Authentication Bypass Wowaddons
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the WowAddons (Product Addons) WordPress plugin through version 1.6.14 lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is needed but the victim must be lured into interacting with a crafted request/link, and the scope-change flag reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS was not provided.

XSS Wowaddons
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy