Medium severity6.4NVD Advisory· Published May 2, 2026· Updated May 5, 2026
CVE-2026-0703
CVE-2026-0703
Description
The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected products
1- Range: <=2.23.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.phpnvd
- plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.phpnvd
- plugins.trac.wordpress.org/changeset/3482613/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/a8eab201-04a5-43df-bb9b-2964c50a1833nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)Wordfence Blog · May 7, 2026