PatchSiren cyber security CVE debrief

CVE-2026-6417 Plugins CVE debrief

CVE-2026-6417 is a medium-severity reflected cross-site scripting issue in GLS Shipping for WooCommerce affecting all versions up to and including 1.4.0. An unauthenticated attacker can inject script through the `failed_orders` parameter, but the attack depends on a victim clicking a crafted link. The supplied record shows no KEV listing and a very low EPSS score, which lowers urgency compared with actively exploited issues, but it still warrants remediation because browser-side impact can expose user sessions or alter page content.

Vendor: Plugins
Product: Unknown
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-14
Original CVE updated: 2026-05-14
Advisory published: 2026-05-14
Advisory updated: 2026-05-14

Who should care

WordPress and WooCommerce operators running the GLS Shipping for WooCommerce plugin, especially sites where users or staff may click links from emails, support tickets, dashboards, or public pages. Security teams responsible for web application hardening and plugin governance should also track this issue.

Technical summary

The vulnerability is a reflected XSS caused by insufficient input sanitization and output escaping in the `failed_orders` parameter. Because the payload is reflected into a page, an attacker can trigger script execution only when a target user follows a malicious link. The advisory metadata assigns CWE-79 and the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (score 6.1).

Defensive priority

Medium

Recommended defensive actions

Verify whether GLS Shipping for WooCommerce is installed and confirm the deployed version; versions at or below 1.4.0 are affected.
Upgrade to a vendor-fixed release once confirmed in the plugin repository or advisory trail; if a patched version is not yet available in your environment, disable or remove the plugin until remediation is in place.
Review any customer-facing or staff-facing links and workflows that could deliver crafted URLs, since exploitation requires user interaction.
Add or tune edge/WAF rules for reflected XSS patterns on affected routes to reduce exposure while patching is underway.
After updating, retest the affected parameter to confirm that user input is no longer reflected without proper encoding.

Evidence notes

All core facts in this debrief come from the supplied GHSA/NVD metadata and the referenced WordPress repository/Wordfence links: the issue is reflected XSS via `failed_orders`, affects versions through 1.4.0, maps to CWE-79, and carries CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N with a 6.1 score. The CVE was published on 2026-05-14T06:31:33Z and modified one second later; the source metadata also lists NVD publication at 2026-05-14T06:16:24Z, no KEV entry, and EPSS 0.00055 (17.312th percentile).

Official resources

CVE-2026-6417 CVE record
CVE.org
CVE-2026-6417 NVD detail
NVD
Source item URL
github_advisory_database
Source reference
Reference
Source reference
Reference

Publicly disclosed on 2026-05-14 through the GitHub Advisory Database and NVD. The supplied GitHub advisory is marked unreviewed, so treat the metadata as advisory-level reporting rather than a vendor-validated fix notice.