Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product allows Stored XSS.This issue affects WooCommerce Coming Soon Product with Countdown: from n/a through <= 5.0.
Published: 2026-03-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) compromising page content
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are then stored in the product page. When a visitor loads the affected page, the injected code executes in their browser, potentially leading to site defacement, cookie theft, or session hijacking. This stored XSS flaw is significant because it can affect all users who view the compromised content.

Affected Systems

WebCodingPlace’s WooCommerce Coming Soon Product with Countdown plugin for WordPress is affected for all releases up through version 5.0 inclusive. Administrators who have editing rights on the plugin settings or product pages could introduce the malicious payload.

Risk and Exploitability

With a CVSS score of 6.5, the vulnerability presents moderate severity. The EPSS score is below 1 %, indicating a low probability of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would need to access the plugin’s configuration or content editing interface—likely requiring authenticated privileged access—to inject the script, after which the stored payload would execute for any user who views the product page.

Generated by OpenCVE AI on April 16, 2026 at 12:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WooCommerce Coming Soon Product with Countdown to the latest version that contains the fix
  • Disable the plugin or remove the affected product pages until a patch is applied to prevent execution of stored scripts on live sites
  • Remove any malicious HTML or JavaScript payloads that may already be present in the database or product descriptions

Generated by OpenCVE AI on April 16, 2026 at 12:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Webcodingplace
Webcodingplace woocommerce Coming Soon Product With Countdown
Wordpress
Wordpress wordpress
Vendors & Products Webcodingplace
Webcodingplace woocommerce Coming Soon Product With Countdown
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product allows Stored XSS.This issue affects WooCommerce Coming Soon Product with Countdown: from n/a through <= 5.0.
Title WordPress WooCommerce Coming Soon Product with Countdown plugin <= 5.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Webcodingplace Woocommerce Coming Soon Product With Countdown
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:10.516Z

Reserved: 2026-02-19T09:51:41.702Z

Link: CVE-2026-27354

cve-icon Vulnrichment

Updated: 2026-03-06T19:03:27.285Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:25.537

Modified: 2026-03-06T20:16:14.353

Link: CVE-2026-27354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses