CVE-2026-27354

Vulnerability

Overview

The WooCommerce Coming Soon Product with Countdown plugin (versions up to and including 5.0) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker with sufficient privileges to inject arbitrary JavaScript or HTML payloads that are stored on the server and later executed in the browsers of visitors.

Exploitation

Prerequisites

Exploitation requires a privileged user role (e.g., administrator or editor) to submit crafted input through the plugin's settings or product fields. While the attacker must have some level of access, successful execution also depends on another privileged user performing an action such as clicking a malicious link or visiting a crafted page [1]. This makes the attack moderately complex but still viable in multi-user WordPress environments.

Impact

If exploited, the attacker can inject malicious scripts that execute when guests or other users visit the affected site. Potential consequences include redirecting visitors to malicious sites, displaying unauthorized advertisements, stealing session cookies, or defacing the site [1]. The CVSS v3 score of 6.5 (Medium) reflects the need for user interaction and privileged access, but the stored nature of the XSS increases its potential reach.

Mitigation

Status

As of the publication date, no official patch has been released for the vulnerable plugin. However, Patchstack has issued a mitigation rule to block attacks until an update is available [1]. Users are strongly advised to update the plugin immediately once a patched version is released, or to contact their hosting provider for assistance. Given that this vulnerability is expected to be used in mass-exploit campaigns, prompt action is recommended [1].