{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2838", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-19T21:45:35.857Z", "datePublished": "2026-04-08T06:43:42.488Z", "dateUpdated": "2026-04-08T17:28:08.868Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:08.868Z"}, "affected": [{"vendor": "idealwebdesignlk", "product": "Whole Enquiry Cart for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018woowhole_success_msg\u2019 parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Whole Enquiry Cart for WooCommerce <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'woowhole_success_msg' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc14a98-1df8-480b-bae3-5ec057b498af?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/whole-cart-enquiry/trunk/admin.php#L53"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-01-21T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-04-07T17:51:16.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018woowhole_success_msg\u2019 parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2026-2838", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T07:16:20.707", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/whole-cart-enquiry/trunk/admin.php#L53"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc14a98-1df8-480b-bae3-5ec057b498af?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Whole Enquiry Cart for WooCommerce", "source": "cna", "vendor": "idealwebdesignlk"}, "product": "whole_enquiry_cart_for_woocommerce", "vendor": "idealwebdesignlk"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T08:51:05.518358+00:00", "value": {"mitigation_remediation": ["Upgrade the Whole Enquiry Cart for WooCommerce plugin to the latest version that removes the vulnerable parameter or sanitizes input.", "If an upgrade cannot be applied immediately, remove any existing 'woowhole_success_msg' content that may contain injected scripts or delete the plugin configuration that enables the message.", "Restrict administrator access to trusted users only and consider disabling the unfiltered_html capability for all roles except those that truly require it.", "Monitor site activity for signs of XSS exploitation, review recent administrator actions, and audit the plugin codebase to ensure no vulnerable input remains."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting in WordPress WooCommerce plugin"}, "threat_synthesis": {"affected_systems": "The vulnerability afflicts every installation of idealwebdesignlk's Whole Enquiry Cart for WooCommerce plugin whose version is 1.2.1 or older. It only exists on WordPress multisite networks where the 'unfiltered_html' capability has been disabled, and it requires the attacker to have administrator or similar high\u2011privilege access. Sites running newer versions or not using the plugin are not impacted.", "description_and_impact": "The Whole Enquiry Cart for WooCommerce plugin for WordPress contains a stored cross\u2011site scripting flaw because the 'woowhole_success_msg' parameter is not properly sanitized or escaped. An attacker who is authenticated and has administrator-level permissions can inject arbitrary JavaScript code that will be rendered whenever a visitor loads a page containing the injected message. This client\u2011side code execution can be used to deface the site, steal credentials, or deliver other malicious payloads to site users.", "risk_and_exploitability": "The CVSS Base score is 4.4, indicating medium severity. No EPSS data is available, and the vulnerability is not in the CISA KEV catalog. Exploitation requires prior authentication with administrator privileges; once the malicious script is stored, any site visitor will be exposed to the injected code. Because the flaw is a stored XSS, the potential impact on confidentiality, integrity, or availability of the site and its users is significant, but the likelihood of exploitation is limited without an existing administrator account."}}}}, "created": "2026-04-08T19:31:03.559315+00:00", "updated": "2026-04-08T19:43:35.310515+00:00", "vendors": ["idealwebdesignlk", "idealwebdesignlk$PRODUCT$whole_enquiry_cart_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}