CVE-2025-26553

The Pre Order Addon for WooCommerce – Advance Order/Backorder Plugin (wc-pre-order) versions up to 2.2 are vulnerable to reflected Cross-Site Scripting (XSS). The vulnerability arises from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary JavaScript into a response.

Exploitation requires user interaction: a victim must click a malicious link or visit a specially crafted URL. This attack can be initiated by an unauthenticated attacker, but the victim must be logged into the WordPress admin area for the malicious script to execute. The plugin is widely used, and this vulnerability is expected to be targeted in mass-exploit campaigns, as noted by security researchers [1].

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser. This could lead to session hijacking, redirection to malicious sites, defacement, or theft of sensitive data such as cookies and credentials. The impact is amplified because the attack targets admin users, potentially granting the attacker access to the entire WordPress installation.

A patch is recommended by updating the plugin to version 2.3 or later. As an immediate mitigation, a security rule is available from Patchstack to block attacks until an official update can be applied [1]. Given the severity and exploitation likelihood, users are strongly advised to remediate without delay.