CVE-2026-2838: WooCommerce Enquiry Cart XSS Vulnerability

CVE-2026-2838 Overview

CVE-2026-2838 is a Stored Cross-Site Scripting (XSS) vulnerability in the Whole Enquiry Cart for WooCommerce plugin for WordPress. The flaw affects all versions up to and including 1.2.1. It results from insufficient input sanitization and output escaping on the woowhole_success_msg parameter. Authenticated attackers with administrator-level access can inject arbitrary web scripts into pages. The injected scripts execute when users access the affected pages. The issue is tracked under CWE-79.

Critical Impact

Authenticated administrators on WordPress multi-site installations, or sites where unfiltered_html is disabled, can persist JavaScript payloads that execute in the browser of any user viewing the affected page.

Affected Products

• Whole Enquiry Cart for WooCommerce plugin for WordPress, versions up to and including 1.2.1
• WordPress multi-site installations running the affected plugin
• WordPress installations with the unfiltered_html capability disabled

Discovery Timeline

• 2026-04-08 - CVE-2026-2838 published to NVD
• 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-2838

Vulnerability Analysis

The Whole Enquiry Cart for WooCommerce plugin fails to sanitize input and escape output for the woowhole_success_msg configuration parameter. An administrator can submit arbitrary HTML and JavaScript through this field. The plugin stores the raw value and later renders it without escaping into pages served to site users. The injected script executes in the context of every visitor who loads an affected page. Exploitation requires authenticated administrator access. The vulnerability only impacts multi-site installations or single-site installations where the unfiltered_html capability has been revoked, since administrators with unfiltered_html are normally trusted to post raw HTML. The Exploit Prediction Scoring System (EPSS) currently rates the probability of exploitation as low.

Root Cause

The plugin admin handler at admin.php line 53 accepts the woowhole_success_msg value from a POST request without applying a sanitization function such as sanitize_text_field() or wp_kses(). The stored value is later echoed into page output without escaping through esc_html() or esc_attr(). This breaks the WordPress security boundary that restricts HTML posting to users holding the unfiltered_html capability.

Attack Vector

An authenticated administrator submits the plugin settings form containing a JavaScript payload in the woowhole_success_msg field. The payload is persisted to the WordPress options table. When a visitor or another administrator loads a page that renders this message, the browser executes the script in the site's origin. Consequences include session theft, administrative action forgery, and arbitrary DOM manipulation. The vulnerability requires high privileges and is constrained to environments where administrator privileges are intentionally limited, such as WordPress multi-site networks where only super-administrators hold unfiltered_html.

No public proof-of-concept code is available. See the WordPress Plugin Code Reference and the Wordfence Vulnerability Report for technical details.

Detection Methods for CVE-2026-2838

Indicators of Compromise

• Unexpected <script>, <iframe>, or event handler attributes stored in the woowhole_success_msg option in the wp_options table
• Outbound browser requests from site visitors to attacker-controlled domains originating from pages that render the enquiry cart success message
• Modifications to plugin settings recorded in audit logs at times that do not align with legitimate administrative activity

Detection Strategies

• Query the WordPress database for the woowhole_success_msg option and inspect its value for HTML tags or JavaScript syntax
• Review web server access logs for POST requests to admin.php containing script content in the woowhole_success_msg parameter
• Deploy a web application firewall (WAF) rule that flags HTML tags in plugin configuration parameters

Monitoring Recommendations

• Enable WordPress audit logging to track changes to plugin options and administrator account activity
• Monitor for unexpected administrator account creation or capability changes preceding plugin configuration changes
• Alert on Content Security Policy (CSP) violations reported from pages served by the affected plugin

How to Mitigate CVE-2026-2838

Immediate Actions Required

• Update the Whole Enquiry Cart for WooCommerce plugin to a version newer than 1.2.1 once the vendor publishes a patch
• Audit existing values of the woowhole_success_msg setting and remove any HTML or script content
• Restrict administrator accounts to trusted personnel and enforce strong authentication for the WordPress admin interface

Patch Information

At the time of publication, no fixed version is referenced in the NVD entry. Monitor the Wordfence Vulnerability Report and the plugin's WordPress.org listing for an updated release that sanitizes the woowhole_success_msg parameter.

Workarounds

• Deactivate the Whole Enquiry Cart for WooCommerce plugin until a patched version is available
• Re-grant the unfiltered_html capability only to fully trusted super-administrators if business requirements permit, since the vulnerability does not affect users with that capability
• Apply a WAF rule that blocks POST requests to plugin admin endpoints containing <script> tags or JavaScript event handler attributes in the woowhole_success_msg parameter

# Example: search the WordPress database for injected content in the affected option
wp option get woowhole_success_msg | grep -iE '<script|onerror=|onload=|javascript:'