{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0552", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-01T18:03:52.749Z", "datePublished": "2026-04-04T07:41:59.408Z", "dateUpdated": "2026-04-08T17:13:59.705Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:59.705Z"}, "affected": [{"vendor": "mra13", "product": "Simple Shopping Cart", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsc_display_product' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Simple Shopping Cart <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsc_display_product' Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8e222d1-cb03-4498-9776-e050eb501e9f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3440173/wordpress-simple-paypal-shopping-cart"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-01-24T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-04-03T19:30:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:46:31.338052Z", "id": "CVE-2026-0552", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:46:39.855Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0552", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:46:31.338052Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:46:34.387Z"}}], "cna": {"title": "Simple Shopping Cart <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsc_display_product' Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "mra13", "product": "Simple Shopping Cart", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.2.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-24T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-04-03T19:30:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8e222d1-cb03-4498-9776-e050eb501e9f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3440173/wordpress-simple-paypal-shopping-cart"}], "descriptions": [{"lang": "en", "value": "The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsc_display_product' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-04T07:41:59.408Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0552", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:46:39.855Z", "dateReserved": "2026-01-01T18:03:52.749Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-04T07:41:59.408Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsc_display_product' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-0552", "lastModified": "2026-04-07T13:20:55.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-04T08:16:05.727", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3440173/wordpress-simple-paypal-shopping-cart"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8e222d1-cb03-4498-9776-e050eb501e9f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "simple_shopping_cart", "vendor": "mra13"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-04T11:22:17.337213+00:00", "value": {"mitigation_remediation": ["Update the Simple Shopping Cart plugin to the latest available version (5.2.5 or newer).", "If an immediate update is not possible, disable or remove the 'wpsc_display_product' shortcode from the site or restrict its usage to trusted users only.", "Verify that all users with contributor or higher permissions follow best\u2011practice guidelines for input handling; consider reviewing user role permissions to limit injection opportunities.", "Maintain the WordPress core and all other plugins at their latest secure releases to reduce the attack surface for future vulnerabilities."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting (Contributor+ authentication required)"}, "threat_synthesis": {"affected_systems": "This vulnerability impacts installations of the Simple Shopping Cart plugin for WordPress with versions up to and including 5.2.4. Sites that have deployed any of these versions and grant contributor or higher permissions to any user profile are potentially exposed. The plugin is developed by mra13 and is integrated into WordPress core as a third\u2011party extension.", "description_and_impact": "The Simple Shopping Cart plugin for WordPress allows attackers with contributor-level access to supply arbitrary script code through the 'wpsc_display_product' shortcode. The plugin fails to properly sanitize or escape user\u2011supplied attributes, enabling the placement of malicious scripts that persist across pages. When an affected page is viewed, the injected code executes within the browser context of any visitor, potentially leading to session hijacking, defacement, or the execution of additional malicious payloads. The weakness is a classic stored cross\u2011site scripting flaw (CWE\u201179) that directly compromises the confidentiality of user data and the integrity of the site\u2019s content.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a medium severity rating, which aligns with the scope of the flaw\u2014only users with contributor-level or higher privileges can inject the payload, and the impact is limited to browsers that visit the affected pages. No EPSS score is available, but the absence of a listing in the CISA KEV catalog suggests the vulnerability has not yet been widely exploited at the time of reporting. The likely attack vector is web\u2011based, relying on authenticated access to the plugin\u2019s shortcode editor; once the script is injected, it becomes automatically executed for all users who view the rendered page."}}}}, "created": "2026-04-06T20:27:38.569433+00:00", "updated": "2026-04-06T22:20:57.720331+00:00", "vendors": ["mra13", "mra13$PRODUCT$simple_shopping_cart", "wordpress", "wordpress$PRODUCT$wordpress"]}