Attack Vectors

CVE-2026-1986 is a Medium-severity (CVSS 6.1) reflected cross-site scripting (XSS) vulnerability affecting FloristPress for Woo – Customize your eCommerce store for your Florist (slug: bakkbone-florist-companion) in versions up to and including 7.8.2.

The attack is performed by sending a crafted request that includes malicious content in the “noresults” parameter. Because this is reflected XSS, the attacker typically needs to trick a user into clicking a link or otherwise loading a page that contains the injected script. The attacker does not need to be logged in (unauthenticated), but user interaction is required.

Security Weakness

The root cause is insufficient input sanitization and output escaping of the user-supplied “noresults” parameter. In practice, this means untrusted input can be included in a page response in a way that the browser may interpret as executable script.

From a governance and compliance perspective, reflected XSS is especially concerning because it can be used to manipulate what a visitor sees and does on your site, even if your WordPress admin area and servers are otherwise well protected.

Technical or Business Impacts

If exploited, this issue can enable attackers to run arbitrary script in a victim’s browser within the context of your site. Depending on where the parameter is reflected and how the user is targeted, potential outcomes may include session or account compromise, unauthorized actions performed as the user, and customer-facing content manipulation (for example, changing where links point, injecting fake messages, or altering checkout-related prompts).

For marketing directors and executives, the practical risk is brand damage and revenue impact: targeted customers may be redirected, misled, or exposed to convincing “on-brand” fraud pages. Even when the vulnerability is “Medium,” the business consequences can be significant if the attack is used in a campaign (email, ads, social posts) that drives traffic to a maliciously crafted URL.

Remediation: Update FloristPress for Woo to version 7.8.3 or newer, which includes the patch for this issue.

Similar Attacks

Reflected XSS is a common web vulnerability pattern that has affected widely used components and platforms. Examples include:

CVE-2020-11022 (jQuery) – a client-side library issue that could enable XSS when certain methods processed HTML in unsafe ways.
CVE-2019-11358 (jQuery) – a prototype pollution weakness that could be leveraged in some scenarios to enable XSS-related impacts.