Reflected Cross-Site Scripting Vulnerability in GLS Shipping for WooCommerce by WordPress
CVE-2026-6417

6.1MEDIUM

Key Information:

Vendor: WordPress
Status: Gls Shipping For WooCommerce
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-6417?

The GLS Shipping for WooCommerce plugin for WordPress has a vulnerability that allows untrusted input to be reflected back to the user without proper sanitization. This occurs through the 'failed_orders' parameter, enabling attackers to inject arbitrary JavaScript. When users unknowingly click on links crafted by the attacker, their browsers may execute harmful scripts that could compromise user sessions or redirect them to malicious sites. All versions of this plugin up to 1.4.0 are affected, highlighting the need for improved validation and sanitization processes to protect against such exploits.

Affected Version(s)

GLS Shipping for WooCommerce 0 <= 1.4.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3459927/gls-...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Tharadol Suksamran

CVE-2026-6417 Data

JSON