Reflected Cross-Site Scripting in Product Feed Manager for WooCommerce by WordPress
CVE-2026-15306
6.1MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 16 July 2026
What is CVE-2026-15306?
The Product Feed Manager for WooCommerce plugin allows unauthenticated attackers to exploit a reflected cross-site scripting vulnerability through the 's' search parameter. This occurs due to inadequate input sanitization and output escaping in all versions up to and including 7.6.1. Attackers can inject arbitrary web scripts into pages, which may execute if users are tricked into clicking on malicious links, jeopardizing user security and data integrity.
Affected Version(s)
Product Feed Manager For WooCommerce β Sell on 200+ Online Marketplaces 0 <= 7.6.1