Description
Unauthenticated Cross Site Scripting (XSS) in WowAddons <= 1.6.14 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the CVE description, the WowAddons plugin versions 1.6.14 and earlier contain an unauthenticated Cross Site Scripting (XSS) vulnerability. Attackers can inject malicious scripts through input that the plugin processes, allowing arbitrary client‑side code execution in the context of a site visitor. The vulnerability is classified as CWE‑79. The overall impact depends on the execution context but may compromise confidentiality, integrity or availability as perceived by users.

Affected Systems

WordPress sites using the WowAddons plugin version 1.6.14 or earlier, distributed by WPXPO:WowAddons, are affected. Any installation that has not been updated to 1.6.15 or later remains vulnerable.

Risk and Exploitability

With a CVSS score of 7.1 this vulnerability is rated moderate‑to‑high severity. The CVE indicates that no authentication is required, but the exact attack surface is not detailed. It is inferred that the likely attack vector involves supplying crafted input via a plugin‑provided field or URL that the plugin processes. No EPSS score is available, so the probability of exploitation is unknown. The vulnerability is not listed in CISA’s KEV catalogue, suggesting no widespread known exploitation at present.

Generated by OpenCVE AI on July 2, 2026 at 17:44 UTC.

Remediation

Vendor Solution

Update the WordPress WowAddons Plugin to the latest available version (at least 1.6.15).


OpenCVE Recommended Actions

  • Update the WowAddons plugin to version 1.6.15 or later, as recommended by the vendor.
  • If an upgrade is not possible at the time, disable the WowAddons plugin or remove it entirely to eliminate the vulnerable code path.
  • Apply or enable a web‑application firewall that filters out script‑based payloads on input fields associated with the plugin, and perform routine vulnerability scans on the site.

Generated by OpenCVE AI on July 2, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in WowAddons <= 1.6.14 versions.
Title WordPress WowAddons plugin <= 1.6.14 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T13:55:19.542Z

Reserved: 2026-06-25T08:03:42.567Z

Link: CVE-2026-57686

cve-icon Vulnrichment

Updated: 2026-07-02T13:55:15.343Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T17:45:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')