Stored Cross-Site Scripting Vulnerability in WooCommerce Call for Price Plugin
CVE-2026-6447

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Call For Price For WooCommerce
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-6447?

The Call for Price for WooCommerce plugin for WordPress is affected by a stored cross-site scripting vulnerability which occurs due to insufficient input sanitization and output escaping in the admin settings. This flaw permits authenticated users with administrator-level permissions to inject malicious web scripts. Such scripts could execute when an unsuspecting user visits an affected page, posing a significant risk, particularly in multi-site installations or where unfiltered_html has been disabled. It is crucial for administrators to update their installations promptly to mitigate this risk.

Affected Version(s)

Call for Price for WooCommerce 0 <= 4.2.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woocommerce-ca...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Anil Singh

CVE-2026-6447 Data

JSON