Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-57356

CVE-2026-57356: MC Woocommerce Wishlist XSS Vulnerability

CVE-2026-57356 is an unauthenticated XSS vulnerability in MC Woocommerce Wishlist plugin affecting versions up to 1.9.19. Attackers can inject malicious scripts without authentication. This article covers technical details.

Published:

CVE-2026-57356 Overview

CVE-2026-57356 is an unauthenticated Cross-Site Scripting (XSS) vulnerability affecting the MC WooCommerce Wishlist plugin for WordPress, in versions up to and including 1.9.19. The flaw is classified under CWE-79, Improper Neutralization of Input During Web Page Generation. Attackers can inject arbitrary JavaScript that executes in a victim's browser when the victim interacts with a crafted request or link. Exploitation requires user interaction but no authentication, and the scope is changed, allowing impact beyond the vulnerable component. The plugin, distributed under the identifier smart-wishlist-for-more-convert, is used on WooCommerce storefronts to manage customer wishlists.

Critical Impact

Unauthenticated attackers can execute arbitrary JavaScript in the context of the WooCommerce site, enabling session hijacking, credential theft, and redirection of shoppers to attacker-controlled infrastructure.

Affected Products

  • MC WooCommerce Wishlist plugin (smart-wishlist-for-more-convert) versions <= 1.9.19
  • WordPress sites running WooCommerce with the affected plugin installed
  • Any storefront exposing the wishlist plugin's vulnerable endpoints to unauthenticated traffic

Discovery Timeline

  • 2026-07-02 - CVE-2026-57356 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-57356

Vulnerability Analysis

The vulnerability is a reflected or stored Cross-Site Scripting flaw in the MC WooCommerce Wishlist plugin. The plugin fails to properly neutralize user-supplied input before rendering it in HTML output. An unauthenticated attacker can craft a malicious URL or request containing JavaScript payloads. When a victim, typically a shopper or administrator, interacts with the crafted content, the payload executes in the victim's browser under the origin of the vulnerable site. Because the CVSS scope is changed, the injected script can affect resources beyond the plugin itself, including the wider WordPress session context. Successful exploitation can lead to theft of authentication cookies, forced administrative actions via CSRF chaining, and delivery of secondary payloads to site visitors.

Root Cause

The root cause is missing or insufficient output encoding and input sanitization in one or more request handlers exposed by the plugin. User-controlled parameters flow into HTML or JavaScript contexts without being escaped through functions such as esc_html(), esc_attr(), or wp_kses(). This failure aligns with the CWE-79 pattern of improper neutralization during web page generation.

Attack Vector

The attack vector is network-based and requires user interaction. An attacker distributes a crafted link, typically via phishing, malicious advertising, or a comment on a third-party site. When the victim clicks the link on the vulnerable WooCommerce site, the plugin reflects attacker-controlled input into the response without encoding. The browser parses the injected <script> tags or event handlers and executes them under the site's origin. Refer to the Patchstack advisory for technical specifics on the affected parameter.

Detection Methods for CVE-2026-57356

Indicators of Compromise

  • HTTP requests to MC WooCommerce Wishlist endpoints containing <script>, javascript:, onerror=, or onload= sequences in query parameters or form fields
  • Unexpected outbound requests from browser sessions to attacker-controlled domains following visits to wishlist pages
  • WordPress access logs showing repeated unauthenticated requests to plugin URLs with encoded HTML entities such as %3Cscript%3E

Detection Strategies

  • Deploy web application firewall (WAF) rules that inspect query strings and POST bodies destined for smart-wishlist-for-more-convert endpoints for XSS signatures
  • Enable WordPress security logging to capture full request URIs and payloads for the affected plugin routes
  • Correlate browser telemetry with server logs to identify sessions where reflected input matches known XSS patterns

Monitoring Recommendations

  • Alert on any HTTP response from the WooCommerce site that echoes back script tags supplied in the request
  • Monitor for anomalous administrator session activity, including cookie theft indicators such as sessions used from new IP addresses
  • Track plugin version inventory across WordPress instances to identify hosts still running MC WooCommerce Wishlist 1.9.19 or earlier

How to Mitigate CVE-2026-57356

Immediate Actions Required

  • Update the MC WooCommerce Wishlist plugin to a version later than 1.9.19 once released by the vendor
  • If no patched version is available, deactivate and remove the plugin from all WordPress installations
  • Rotate WordPress administrator credentials and invalidate active sessions if exploitation is suspected

Patch Information

At the time of publication, refer to the Patchstack advisory for the latest fix status and vendor guidance. Administrators should subscribe to plugin update notifications in the WordPress dashboard to apply security releases without delay.

Workarounds

  • Restrict access to plugin endpoints using a WAF rule set that blocks payloads matching XSS patterns until a patch is applied
  • Enforce a strict Content Security Policy (CSP) that disallows inline scripts and limits script sources to trusted origins
  • Set the HttpOnly and Secure flags on WordPress session cookies to reduce the impact of successful script execution
bash
# Example WAF rule (ModSecurity) to block reflected XSS payloads against the wishlist plugin
SecRule REQUEST_URI "@contains /wp-content/plugins/smart-wishlist-for-more-convert/" \
    "chain,phase:2,deny,status:403,id:1057356,msg:'Block XSS attempt against MC WooCommerce Wishlist CVE-2026-57356'"
    SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=)" "t:none,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.