{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1986", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-05T15:02:13.840Z", "datePublished": "2026-03-26T02:25:20.549Z", "dateUpdated": "2026-03-26T02:25:20.549Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-26T02:25:20.549Z"}, "affected": [{"vendor": "bakkbone", "product": "FloristPress for Woo \u2013 Customize your eCommerce store for your Florist", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "7.8.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The FloristPress for Woo \u2013 Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and including, 7.8.2 due to insufficient input sanitization and output escaping on the user supplied 'noresults' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "FloristPress for Woo <= 7.8.2 - Reflected Cross-Site Scripting via 'noresults' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea3b6fa6-1b58-40c2-8ec2-8a9211069f11?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bakkbone-florist-companion/trunk/src/core/ajax.php#L1583"}, {"url": "https://plugins.trac.wordpress.org/browser/bakkbone-florist-companion/tags/7.8.2/src/core/ajax.php#L1583"}, {"url": "https://plugins.trac.wordpress.org/changeset/3487687/bakkbone-florist-companion"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2026-02-06T01:23:21.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T14:09:09.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The FloristPress for Woo \u2013 Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and including, 7.8.2 due to insufficient input sanitization and output escaping on the user supplied 'noresults' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2026-1986", "lastModified": "2026-03-26T04:17:03.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-26T04:17:03.510", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bakkbone-florist-companion/tags/7.8.2/src/core/ajax.php#L1583"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bakkbone-florist-companion/trunk/src/core/ajax.php#L1583"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3487687/bakkbone-florist-companion"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ea3b6fa6-1b58-40c2-8ec2-8a9211069f11?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.8.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "FloristPress for Woo \u2013 Customize your eCommerce store for your Florist", "source": "cna", "vendor": "bakkbone"}, "product": "floristpress_for_woo_\u2013_customize_your_ecommerce_store_for_your_florist", "vendor": "bakkbone"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T05:51:36.618571+00:00", "value": {"mitigation_remediation": ["Upgrade FloristPress for Woo to the latest release (7.8.3 or newer) to eliminate the flaw.", "If an upgrade is not immediately possible, modify the core/ajax.php file to sanitize or remove the 'noresults' parameter before it is output.", "Deploy a web application firewall or input\u2011validation mechanism that blocks or sanitizes malicious content in the 'noresults' parameter.", "Keep WordPress core, all plugins, and themes updated and monitor vendor advisories for additional security guidance."], "summary": {"action": "Patch Now", "impact": "Cross\u2011Site Scripting that permits arbitrary script injection in victims\u2019 browsers"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has installed FloristPress for Woo \u2013 Customize your eCommerce store for your Florist plugin with a version equal to or older than 7.8.2 is affected. The vulnerability resides in the core/ajax.php file that processes the search\u2011result response when no items are found.", "description_and_impact": "The FloristPress for Woo plugin is vulnerable to reflected cross\u2011site scripting through the 'noresults' parameter. Insufficient input sanitization and output escaping allow an unauthenticated attacker to supply malicious content in this parameter, which is then reflected back to the user without proper encoding. The result is that arbitrary web scripts can be executed in the target\u2019s browser when a vulnerable page is accessed, enabling client\u2011side attacks such as phishing or malicious content execution.", "risk_and_exploitability": "The CVSS base score of 6.1 indicates moderate severity. This flaw is unauthenticated and remote; an attacker must craft a URL containing a malicious payload in the 'noresults' parameter and lure a user to click that link. There is no EPSS data and the vulnerability is not listed in the CISA KEV catalog, but the potential for exploitation exists if users are tricked into visiting a malicious link."}}}}, "created": "2026-03-26T11:30:43.606196+00:00", "updated": "2026-03-26T12:08:44.170743+00:00", "vendors": ["bakkbone", "bakkbone$PRODUCT$floristpress_for_woo_\u2013_customize_your_ecommerce_store_for_your_florist", "wordpress", "wordpress$PRODUCT$wordpress"]}