CVE-2026-24526 Overview
CVE-2026-24526 is a DOM-Based Cross-Site Scripting (XSS) vulnerability affecting the Steve Truman Email Inquiry & Cart Options for WooCommerce plugin for WordPress. The flaw stems from improper neutralization of input during web page generation, classified as [CWE-79]. It affects all plugin versions up to and including 3.5.0. Attackers with low privileges can inject malicious scripts that execute in a victim's browser after user interaction. Successful exploitation results in low impact to confidentiality, integrity, and availability, but the scope changes — meaning attacks can affect resources beyond the vulnerable component.
Critical Impact
Authenticated attackers can trigger client-side script execution in administrative or customer browser sessions on WooCommerce stores running the affected plugin.
Affected Products
- Steve Truman Email Inquiry & Cart Options for WooCommerce plugin (woocommerce-email-inquiry-cart-options)
- All versions from n/a through 3.5.0
- WordPress sites running WooCommerce with this plugin installed
Discovery Timeline
- 2026-01-23 - CVE-2026-24526 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-24526
Vulnerability Analysis
The vulnerability is a DOM-Based XSS issue in the Email Inquiry & Cart Options for WooCommerce WordPress plugin. DOM-Based XSS occurs when client-side JavaScript reads attacker-controlled data from a source such as the URL and writes it into the Document Object Model (DOM) without proper sanitization. The plugin extends WooCommerce with email inquiry forms and cart configuration options, exposing input handling routines that fail to neutralize script content before rendering.
Exploitation requires the attacker to have low-level privileges and a victim to perform a user interaction, such as clicking a crafted link. Because the scope is changed, the injected script may impact resources beyond the plugin's security boundary, including other parts of the WordPress site.
Root Cause
The root cause is improper input neutralization during web page generation. Client-side code in the plugin processes data from untrusted sources and inserts it into the DOM using sinks that interpret HTML or JavaScript content. Without escaping or sanitization, an attacker can inject payloads that the browser executes in the context of the WordPress site origin.
Attack Vector
The attack vector is network-based with low attack complexity. An attacker authenticates with low privileges, then crafts a URL or payload that triggers the vulnerable DOM sink. When a privileged user — typically a store administrator or another logged-in user — opens the link, the script runs in their browser session. Refer to the Patchstack Vulnerability Advisory for technical details.
// No verified exploit code is publicly available for CVE-2026-24526.
// See the Patchstack advisory linked above for additional context.
Detection Methods for CVE-2026-24526
Indicators of Compromise
- Unexpected <script> tags, javascript: URIs, or event handlers appearing in plugin-rendered pages
- WordPress admin or customer sessions exhibiting unusual outbound requests after visiting plugin-related URLs
- Modified WooCommerce inquiry or cart option records containing HTML or JavaScript payloads
Detection Strategies
- Inspect WordPress access logs for requests to plugin endpoints containing URL fragments or parameters with encoded script content
- Review browser console errors and Content Security Policy (CSP) violations on pages that include the plugin
- Audit plugin-stored data in the WordPress database for entries containing HTML tags or JavaScript syntax
Monitoring Recommendations
- Enable a Web Application Firewall (WAF) with rules for XSS payload patterns targeting WordPress plugins
- Monitor for new or modified administrator accounts and unauthorized plugin or theme changes following user interaction with suspicious links
- Track WordPress audit logs for changes initiated from admin sessions that immediately follow inquiry form submissions
How to Mitigate CVE-2026-24526
Immediate Actions Required
- Identify all WordPress sites running Email Inquiry & Cart Options for WooCommerce version 3.5.0 or earlier
- Disable the plugin until a vendor-released patched version is installed and verified
- Restrict access to WordPress admin interfaces using IP allow-listing or VPN where feasible
- Force password resets for administrative users if exploitation is suspected
Patch Information
At the time of publication, the Patchstack Vulnerability Advisory lists affected versions through 3.5.0. Site operators should monitor the WordPress plugin repository for an updated release from Steve Truman and apply it immediately upon availability.
Workarounds
- Deactivate and remove the plugin until a fixed version is published
- Deploy a WAF rule that blocks requests containing script tags or JavaScript URI schemes to plugin endpoints
- Apply a strict Content Security Policy (CSP) that disallows inline scripts on pages rendered by the plugin
# Example: Disable the affected plugin via WP-CLI
wp plugin deactivate woocommerce-email-inquiry-cart-options
wp plugin delete woocommerce-email-inquiry-cart-options
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
