What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Bopo – WooCommerce Product Bundle Builder bopo-woo-product-bundle-builder allows Reflected XSS.This issue affects Bopo – WooCommerce Product Bundle Builder: from n/a through <= 1.2.0.
Explanation of Vulnerability in Simple Terms
02Summary
Bopo – WooCommerce Product Bundle Builder versions 1.2.0 and earlier contain a cross-site scripting (XSS) vulnerability. An attacker can inject malicious scripts that execute in the browsers of site visitors, potentially stealing session tokens, modifying page content, or redirecting users. The vulnerability requires user interaction—typically clicking a malicious link—and affects the broader site scope beyond the plugin itself.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in visitors' browsers, stealing credentials or modifying site content.
Potential impact on your site
04Site Impact
Visitors' sessions and data can be compromised; site reputation and trust are at risk.
Conditions required to exploit
05Prerequisites
No authentication required. Victim must click a malicious link or visit an attacker-controlled page.
Key dates
06Disclosure timeline
July 13, 2026
CVE published