Attack Vectors

Bakery Autoresponder Addon (WordPress plugin slug: vc-autoresponder-addon) has a High severity vulnerability (CVSS 7.2, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) identified as CVE-2026-27363.

The issue is an unauthenticated stored cross-site scripting (Stored XSS) weakness affecting versions up to and including 1.0.6. In practical terms, an attacker does not need a login to submit malicious content that can be stored by the site and later executed in visitors’ or staff members’ browsers when they view the affected page.

Because it is stored (not just a one-time link), this kind of attack can persist and repeatedly trigger—especially risky on pages frequently accessed by marketing teams, customer support, executives, or compliance staff reviewing web content.

Security Weakness

According to Wordfence, the vulnerability stems from insufficient input sanitization and output escaping in the Bakery Autoresponder Addon plugin. This means the plugin may accept user-supplied data and later display it on a page without properly filtering or safely rendering it.

When that happens, injected scripts can run in the context of your site. From a business perspective, the risk is not just “a page looks wrong”—it’s that attacker-controlled code can execute as if it were part of your brand’s web experience, potentially affecting customer trust and internal operations.

There is no known patch available at the time of writing. Remediation guidance from the source recommends reviewing details and applying mitigations aligned to your organization’s risk tolerance; for many organizations, the safest path is to uninstall the affected plugin and replace it with an alternative.

Technical or Business Impacts

This vulnerability can create meaningful business exposure because it enables unauthorized script execution on your site. That may translate into brand damage, increased legal/compliance scrutiny, and loss of stakeholder confidence—particularly if malicious content is encountered by customers or partners.

Potential impacts include tampering with page content (misleading offers, altered calls-to-action, fake forms), data exposure risks (depending on what users view and what the injected script targets), and operational disruption (time spent on incident response, takedown efforts, and reputational repair). The “stored” nature means the problem can recur until fully removed.

Risk management note: because no patch is known, business owners and compliance teams should consider compensating controls (such as removing the plugin, limiting exposure, and monitoring for suspicious site changes) and assess whether continued use aligns with acceptable risk.

Similar Attacks

Stored XSS has been widely used in real-world incidents to deface sites, inject skimmers, and undermine user trust. Here are a few well-known examples to illustrate the business risk:

Home Depot breach (2014) — A major retail incident that highlights how injected malicious code can contribute to large-scale fraud and brand impact.

TalkTalk cyber-attack (2015) — A high-profile event demonstrating how web vulnerabilities can trigger significant customer trust and regulatory consequences.

Equifax settlement (2019) — A reminder of how security failures can lead to substantial financial and compliance outcomes.