{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1986", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-05T15:02:13.840Z", "datePublished": "2026-03-26T02:25:20.549Z", "dateUpdated": "2026-04-08T17:30:59.042Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:59.042Z"}, "affected": [{"vendor": "bakkbone", "product": "FloristPress for Woo \u2013 Customize your eCommerce store for your Florist", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.8.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The FloristPress for Woo \u2013 Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and including, 7.8.2 due to insufficient input sanitization and output escaping on the user supplied 'noresults' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "FloristPress for Woo <= 7.8.2 - Reflected Cross-Site Scripting via 'noresults' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea3b6fa6-1b58-40c2-8ec2-8a9211069f11?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bakkbone-florist-companion/trunk/src/core/ajax.php#L1583"}, {"url": "https://plugins.trac.wordpress.org/browser/bakkbone-florist-companion/tags/7.8.2/src/core/ajax.php#L1583"}, {"url": "https://plugins.trac.wordpress.org/changeset/3487687/bakkbone-florist-companion"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-02-06T01:23:21.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T14:09:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:12:03.459996Z", "id": "CVE-2026-1986", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:02:19.883Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1986", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T14:12:03.459996Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:12:10.316Z"}}], "cna": {"title": "FloristPress for Woo <= 7.8.2 - Reflected Cross-Site Scripting via 'noresults' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "bakkbone", "product": "FloristPress for Woo \u2013 Customize your eCommerce store for your Florist", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.8.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-06T01:23:21.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-25T14:09:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea3b6fa6-1b58-40c2-8ec2-8a9211069f11?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bakkbone-florist-companion/trunk/src/core/ajax.php#L1583"}, {"url": "https://plugins.trac.wordpress.org/browser/bakkbone-florist-companion/tags/7.8.2/src/core/ajax.php#L1583"}, {"url": "https://plugins.trac.wordpress.org/changeset/3487687/bakkbone-florist-companion"}], "descriptions": [{"lang": "en", "value": "The FloristPress for Woo \u2013 Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and including, 7.8.2 due to insufficient input sanitization and output escaping on the user supplied 'noresults' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:59.042Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1986", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:30:59.042Z", "dateReserved": "2026-02-05T15:02:13.840Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-26T02:25:20.549Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The FloristPress for Woo \u2013 Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and including, 7.8.2 due to insufficient input sanitization and output escaping on the user supplied 'noresults' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin FloristPress para Woo \u2013 Personaliza tu tienda de comercio electr\u00f3nico para tu florister\u00eda para WordPress es vulnerable a cross-site scripting reflejado a trav\u00e9s del par\u00e1metro 'noresults' en todas las versiones hasta la 7.8.2, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes en el par\u00e1metro 'noresults' proporcionado por el usuario. Esto permite que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutan si logran enga\u00f1ar a un usuario para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-1986", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-26T04:17:03.510", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bakkbone-florist-companion/tags/7.8.2/src/core/ajax.php#L1583"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bakkbone-florist-companion/trunk/src/core/ajax.php#L1583"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3487687/bakkbone-florist-companion"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea3b6fa6-1b58-40c2-8ec2-8a9211069f11?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.8.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "FloristPress for Woo \u2013 Customize your eCommerce store for your Florist", "source": "cna", "vendor": "bakkbone"}, "product": "floristpress_for_woo_\u2013_customize_your_ecommerce_store_for_your_florist", "vendor": "bakkbone"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T05:51:36.618571+00:00", "value": {"mitigation_remediation": ["Upgrade FloristPress for Woo to the latest release (7.8.3 or newer) to eliminate the flaw.", "If an upgrade is not immediately possible, modify the core/ajax.php file to sanitize or remove the 'noresults' parameter before it is output.", "Deploy a web application firewall or input\u2011validation mechanism that blocks or sanitizes malicious content in the 'noresults' parameter.", "Keep WordPress core, all plugins, and themes updated and monitor vendor advisories for additional security guidance."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting that permits arbitrary script injection in victims\u2019 browsers"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has installed FloristPress for Woo \u2013 Customize your eCommerce store for your Florist plugin with a version equal to or older than 7.8.2 is affected. The vulnerability resides in the core/ajax.php file that processes the search\u2011result response when no items are found.", "description_and_impact": "The FloristPress for Woo plugin is vulnerable to reflected cross\u2011site scripting through the 'noresults' parameter. Insufficient input sanitization and output escaping allow an unauthenticated attacker to supply malicious content in this parameter, which is then reflected back to the user without proper encoding. The result is that arbitrary web scripts can be executed in the target\u2019s browser when a vulnerable page is accessed, enabling client\u2011side attacks such as phishing or malicious content execution.", "risk_and_exploitability": "The CVSS base score of 6.1 indicates moderate severity. This flaw is unauthenticated and remote; an attacker must craft a URL containing a malicious payload in the 'noresults' parameter and lure a user to click that link. There is no EPSS data and the vulnerability is not listed in the CISA KEV catalog, but the potential for exploitation exists if users are tricked into visiting a malicious link."}}}}, "created": "2026-03-26T11:30:43.606196+00:00", "updated": "2026-03-26T12:08:44.170743+00:00", "vendors": ["bakkbone", "bakkbone$PRODUCT$floristpress_for_woo_\u2013_customize_your_ecommerce_store_for_your_florist", "wordpress", "wordpress$PRODUCT$wordpress"]}