CVE-2026-15306 Overview
CVE-2026-15306 is a Reflected Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces plugin for WordPress. The flaw affects all versions up to and including 7.6.1. The vulnerability resides in the handling of the s search parameter, where the plugin fails to properly sanitize input and escape output. Unauthenticated attackers can craft malicious links containing arbitrary JavaScript payloads. When an authenticated user clicks the link, the script executes in their browser context, enabling session hijacking, credential theft, or unauthorized administrative actions.
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in an administrator's browser through a crafted URL, potentially leading to account takeover on affected WooCommerce sites.
Affected Products
- Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces plugin for WordPress
- All versions up to and including 7.6.1
- WordPress sites running WooCommerce with this plugin installed
Discovery Timeline
- 2026-07-16 - CVE-2026-15306 published to NVD
- 2026-07-16 - Last updated in NVD database
Technical Details for CVE-2026-15306
Vulnerability Analysis
The vulnerability is a Reflected Cross-Site Scripting flaw classified under [CWE-79]. The plugin processes the s search parameter received via HTTP requests and reflects its contents back into the rendered HTML response without adequate sanitization or output encoding. This allows attacker-supplied JavaScript to execute in the context of the victim's session on the vulnerable site.
Exploitation requires user interaction, typically through a phishing link or malicious redirect. Because the attack changes scope, the injected script can access resources beyond the vulnerable component, including administrative interfaces if the victim holds elevated privileges.
Root Cause
The root cause is insufficient input sanitization and missing output escaping in the code paths handling the s parameter. Review of the vulnerable code base references locations in admin/class-rex-product-feed-actions.php at lines 740, 767, and 841, and in includes/class-rex-product-feed.php at line 241. In these locations, user-controlled input is emitted into HTML output without passing through WordPress escaping functions such as esc_html(), esc_attr(), or wp_kses().
Attack Vector
An attacker constructs a URL to the vulnerable plugin endpoint with a malicious payload embedded in the s query parameter. The attacker delivers the link to a target user, typically an administrator, via phishing email, social media, or a compromised page. When the victim clicks the link while authenticated to WordPress, the reflected payload executes in their browser. The script inherits the victim's session privileges, enabling actions such as creating rogue admin accounts, exfiltrating nonce tokens, or modifying plugin configuration.
See the Wordfence Vulnerability Report and the WordPress Change Set Overview for technical details.
Detection Methods for CVE-2026-15306
Indicators of Compromise
- HTTP requests to WordPress admin endpoints containing <script>, javascript:, or URL-encoded script tags in the s parameter
- Unusual outbound requests from administrator browsers to attacker-controlled domains shortly after clicking external links
- Unexpected creation of WordPress administrator accounts or modifications to plugin settings
- Session cookies or nonces appearing in web server referrer logs pointing to third-party sites
Detection Strategies
- Inspect web server access logs for requests containing suspicious characters such as <, >, %3C, %3E, or onerror= in the s query parameter
- Deploy a Web Application Firewall (WAF) rule to flag XSS payload patterns targeting the plugin URLs
- Monitor WordPress audit logs for administrative actions that lack corresponding user activity in front-end sessions
Monitoring Recommendations
- Enable WordPress security logging plugins to capture failed and successful admin actions with source IP context
- Correlate browser telemetry with WordPress login events to identify anomalous script execution
- Track version metadata of installed plugins across all managed WordPress instances to flag vulnerable deployments
How to Mitigate CVE-2026-15306
Immediate Actions Required
- Update the Product Feed Manager For WooCommerce plugin to a version later than 7.6.1 as soon as a patched release is available
- Restrict administrative access to trusted IP addresses via .htaccess or reverse proxy rules until patching is complete
- Instruct administrators and privileged users to avoid clicking untrusted links to the WordPress site
- Rotate WordPress administrator passwords and invalidate active sessions if exploitation is suspected
Patch Information
A fix was committed to the plugin repository. Review the WordPress Change Set Overview to identify the corrected version. Site administrators should apply the update through the WordPress plugin management interface or via WP-CLI.
Workarounds
- Disable the Product Feed Manager For WooCommerce plugin until an updated version is installed
- Deploy a WAF with XSS filtering rules that block script payloads in the s query parameter
- Enforce a strict Content Security Policy (CSP) that disallows inline script execution to reduce impact of reflected payloads
- Require administrators to use browser sessions isolated from general browsing activity
# Example WP-CLI command to update the plugin once a patched release is available
wp plugin update best-woocommerce-feed --version=<patched-version>
# Verify installed version
wp plugin get best-woocommerce-feed --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

