Description
The FloristPress for Woo – Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and including, 7.8.2 due to insufficient input sanitization and output escaping on the user supplied 'noresults' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2026-03-26
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that permits arbitrary script injection in victims’ browsers
Action: Patch Now
AI Analysis

Impact

The FloristPress for Woo plugin is vulnerable to reflected cross‑site scripting through the 'noresults' parameter. Insufficient input sanitization and output escaping allow an unauthenticated attacker to supply malicious content in this parameter, which is then reflected back to the user without proper encoding. The result is that arbitrary web scripts can be executed in the target’s browser when a vulnerable page is accessed, enabling client‑side attacks such as phishing or malicious content execution.

Affected Systems

Any WordPress site that has installed FloristPress for Woo – Customize your eCommerce store for your Florist plugin with a version equal to or older than 7.8.2 is affected. The vulnerability resides in the core/ajax.php file that processes the search‑result response when no items are found.

Risk and Exploitability

The CVSS base score of 6.1 indicates moderate severity. This flaw is unauthenticated and remote; an attacker must craft a URL containing a malicious payload in the 'noresults' parameter and lure a user to click that link. There is no EPSS data and the vulnerability is not listed in the CISA KEV catalog, but the potential for exploitation exists if users are tricked into visiting a malicious link.

Generated by OpenCVE AI on March 26, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FloristPress for Woo to the latest release (7.8.3 or newer) to eliminate the flaw.
  • If an upgrade is not immediately possible, modify the core/ajax.php file to sanitize or remove the 'noresults' parameter before it is output.
  • Deploy a web application firewall or input‑validation mechanism that blocks or sanitizes malicious content in the 'noresults' parameter.
  • Keep WordPress core, all plugins, and themes updated and monitor vendor advisories for additional security guidance.

Generated by OpenCVE AI on March 26, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Bakkbone
Bakkbone floristpress For Woo – Customize Your Ecommerce Store For Your Florist
Wordpress
Wordpress wordpress
Vendors & Products Bakkbone
Bakkbone floristpress For Woo – Customize Your Ecommerce Store For Your Florist
Wordpress
Wordpress wordpress

Thu, 26 Mar 2026 03:45:00 +0000

Type Values Removed Values Added
Description The FloristPress for Woo – Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and including, 7.8.2 due to insufficient input sanitization and output escaping on the user supplied 'noresults' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title FloristPress for Woo <= 7.8.2 - Reflected Cross-Site Scripting via 'noresults' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Bakkbone Floristpress For Woo – Customize Your Ecommerce Store For Your Florist
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:59.042Z

Reserved: 2026-02-05T15:02:13.840Z

Link: CVE-2026-1986

cve-icon Vulnrichment

Updated: 2026-03-26T14:12:10.316Z

cve-icon NVD

Status : Deferred

Published: 2026-03-26T04:17:03.510

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-1986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:08:44Z

Weaknesses