CVE-2026-27363

Vulnerability

Overview The vulnerability is a Stored Cross-Site Scripting (XSS) in the WordPress plugin WP Bakery Autoresponder Addon (vc-autoresponder-addon) versions through 1.0.6 [1]. It arises from improper neutralization of user-supplied input during web page generation, allowing an attacker with sufficient privileges to store a malicious script that executes in the context of a visitor's browser [1].

Exploitation

Exploitation requires a privileged user role to initiate the attack, but successful execution also relies on another user (such as a site visitor or administrator) performing an action like clicking a link or visiting a crafted page [1]. The stored script is triggered when the compromised page is loaded.

Impact

An attacker who successfully exploits this vulnerability can inject arbitrary HTML and JavaScript payloads, leading to redirects, display of advertisements, or other malicious activities when visitors access the affected site [1]. This can result in data theft, defacement, or further compromise of the website’s users.

Mitigation

The plugin is closed-source or otherwise unpatched at this time. Administrators are urged to update to a patched version as soon as it becomes available [1]. As an immediate measure, Patchstack provides a mitigation rule that blocks exploitation attempts until an official fix is released [1].