CVE-2026-27363 identifies a stored cross-site scripting (XSS) vulnerability in the WP Bakery Autoresponder Addon developed by kamleshyadav, specifically affecting versions up to and including 1.0.6. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently within the application. When other users or administrators access the affected pages, the malicious script executes in their browsers, potentially leading to session hijacking, credential theft, unauthorized actions, or malware distribution. This vulnerability does not require authentication or user interaction beyond visiting the compromised page, increasing its risk profile. The WP Bakery Autoresponder Addon is a plugin for WordPress, a widely used content management system powering a significant portion of the web. Although no public exploits have been reported yet, the nature of stored XSS vulnerabilities makes them attractive targets for attackers. The absence of a CVSS score indicates that the vulnerability is newly published, with patches not yet available. The vulnerability was reserved in February 2026 and published in March 2026, indicating recent discovery. The lack of patch links suggests that users must monitor vendor updates closely. The vulnerability affects the confidentiality and integrity of user data and can impact availability if exploited to deface or disrupt services. Given the widespread use of WordPress and its plugins, this vulnerability has a broad potential attack surface.

The impact of CVE-2026-27363 is significant for organizations using the WP Bakery Autoresponder Addon within their WordPress environments. Successful exploitation can lead to the execution of arbitrary scripts in the context of the victim's browser, enabling attackers to steal session cookies, impersonate users, perform unauthorized actions, or deliver malware payloads. This compromises the confidentiality and integrity of user data and can damage organizational reputation. Additionally, attackers could deface websites or redirect visitors to malicious sites, impacting availability and trust. Since WordPress powers a large percentage of websites globally, including e-commerce, corporate, and governmental sites, the scope of impact is extensive. Organizations with public-facing WordPress sites that use this addon are particularly vulnerable. The lack of authentication requirement and ease of exploitation increase the risk of widespread attacks. Although no known exploits are currently in the wild, the vulnerability's characteristics make it a likely target for attackers once exploit code becomes available.

To mitigate CVE-2026-27363, organizations should take immediate steps to reduce exposure. First, monitor the kamleshyadav project and WP Bakery Autoresponder Addon updates for official patches and apply them promptly once released. Until patches are available, implement strict input validation and output encoding on all user-supplied data within the plugin's context to prevent script injection. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads to block malicious requests. Conduct thorough code reviews and security testing of the plugin and related components to identify and remediate similar issues. Limit plugin usage to trusted administrators and restrict permissions to reduce attack surface. Regularly audit logs and monitor for suspicious activity indicative of exploitation attempts. Educate site administrators about the risks of XSS and safe content management practices. Finally, consider disabling or replacing the vulnerable addon if immediate patching is not feasible, to prevent exploitation.