CVE-2026-3574: Experto Dashboard WooCommerce XSS Flaw

CVE-2026-3574 Overview

The Experto Dashboard for WooCommerce plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability affecting all versions up to and including 1.0.4. The vulnerability exists in multiple plugin settings fields including 'Navigation Font Size', 'Navigation Font Weight', 'Heading Font Size', 'Heading Font Weight', 'Text Font Size', and 'Text Font Weight'. Due to insufficient input sanitization and missing output escaping, authenticated attackers with Administrator-level access can inject arbitrary web scripts that execute whenever users access the plugin's settings page.

Critical Impact

Authenticated attackers with administrative privileges can inject persistent malicious scripts into plugin settings, potentially compromising other administrators and enabling account takeover in multi-site WordPress installations.

Affected Products

• Experto Dashboard for WooCommerce plugin versions up to and including 1.0.4
• WordPress multi-site installations with this plugin
• WordPress installations where unfiltered_html capability has been disabled

Discovery Timeline

• April 9, 2026 - CVE-2026-3574 published to NVD
• April 9, 2026 - Last updated in NVD database

Technical Details for CVE-2026-3574

Vulnerability Analysis

This Stored Cross-Site Scripting vulnerability stems from improper handling of user input in the plugin's administrative settings interface. When administrators configure font-related settings through the plugin's dashboard customization options, the input values are stored and later rendered without proper security controls. The vulnerability specifically impacts WordPress multi-site installations and single-site installations where the unfiltered_html capability has been explicitly disabled, as these configurations prevent direct HTML injection through standard content editors.

The attack requires Administrator-level access, which limits the attack surface but creates a significant risk in environments with multiple administrators or where administrator accounts could be compromised through other means. Once malicious scripts are injected, they persist in the database and execute in the browser context of any user who views the affected settings page.

Root Cause

The vulnerability is caused by two distinct security failures in the plugin's codebase:

1. Missing Sanitization Callback: The register_setting() function calls do not include a sanitize callback parameter, allowing raw user input to be stored in the WordPress options table without validation or filtering.

2. Missing Output Escaping: The field_callback() function uses printf to output stored values directly into HTML attributes without calling esc_attr() or equivalent escaping functions. This allows stored malicious payloads to break out of attribute context and inject executable scripts.

The vulnerable code patterns can be observed in the class-ewc-admin.php file at line 312 and line 361.

Attack Vector

The attack is executed over the network by an authenticated attacker with Administrator-level access. The attacker navigates to the Experto Dashboard settings page and enters a malicious JavaScript payload into one of the vulnerable font settings fields (such as Navigation Font Size). When saved, the payload is stored in the WordPress database without sanitization. Subsequently, when any administrator accesses the settings page, the malicious script executes in their browser context due to the missing output escaping.

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The stored nature of the XSS makes it more dangerous than reflected variants, as the payload persists and can affect multiple users over time.

Detection Methods for CVE-2026-3574

Indicators of Compromise

• Unexpected JavaScript code present in WordPress wp_options table entries related to the Experto Dashboard plugin
• Anomalous script execution or browser warnings when administrators access the plugin settings page
• Suspicious values containing <script>, event handlers (e.g., onerror, onload), or JavaScript URIs in font-related option fields

Detection Strategies

• Monitor WordPress options table for entries containing the pattern experto with unexpected HTML or script content
• Implement Web Application Firewall (WAF) rules to detect XSS payloads in POST requests to WordPress admin-ajax.php and options.php
• Review server access logs for unusual activity patterns on the Experto Dashboard settings page URLs

Monitoring Recommendations

• Enable WordPress audit logging to track changes to plugin settings and identify suspicious modifications
• Configure alerting for multiple rapid settings changes from administrator accounts
• Periodically scan the WordPress database for stored XSS indicators using security plugins

How to Mitigate CVE-2026-3574

Immediate Actions Required

• Update the Experto Dashboard for WooCommerce plugin to the latest patched version immediately
• Review the WordPress wp_options table for any existing malicious payloads in Experto-related entries
• Audit administrator account activity logs for unauthorized access or suspicious settings changes
• Consider temporarily disabling the plugin until the update can be applied in multi-site environments

Patch Information

A patch addressing this vulnerability has been released by the plugin developers. The WordPress changeset shows the security fixes implemented, which include adding proper sanitization callbacks to register_setting() calls and implementing esc_attr() escaping in output functions.

For detailed vulnerability analysis and patch verification, refer to the Wordfence Vulnerability Analysis.

Workarounds

• Restrict administrator access to only trusted users until the plugin can be updated
• Implement a Web Application Firewall with XSS protection rules to filter malicious input
• Disable the Experto Dashboard plugin temporarily if it is not critical to operations
• For multi-site installations, consider network-level plugin deactivation until patching is complete

# Verify current plugin version via WP-CLI
wp plugin list --name=experto-custom-dashboard --fields=name,version,update_version

# Update the plugin to the latest version
wp plugin update experto-custom-dashboard

# Check for suspicious entries in options table (manual review required)
wp db query "SELECT option_name, option_value FROM wp_options WHERE option_name LIKE '%experto%' AND (option_value LIKE '%<script%' OR option_value LIKE '%javascript:%' OR option_value LIKE '%onerror%')"