CVE-2026-6962: WooCommerce Cost of Goods XSS Vulnerability

CVE-2026-6962 Overview

CVE-2026-6962 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress. The flaw affects all plugin versions up to and including 4.1.0. It resides in the alg_wc_cog_product_cost and alg_wc_cog_product_profit shortcodes, which fail to sanitize input and escape output for user-supplied attributes. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript that executes when other users view affected pages.

Critical Impact

Authenticated attackers with low-privileged Contributor accounts can persistently inject JavaScript that executes in visitors' browsers, enabling session theft, redirection, and administrative actions through victim browsers.

Affected Products

• Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress
• All versions up to and including 4.1.0
• WordPress sites using the affected plugin shortcodes

Discovery Timeline

• 2026-05-13 - CVE-2026-6962 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-6962

Vulnerability Analysis

The vulnerability stems from improper handling of shortcode attributes within the Cost of Goods plugin. The plugin registers two shortcodes, alg_wc_cog_product_cost and alg_wc_cog_product_profit, that accept user-supplied attributes and render them into page output. The plugin does not sanitize these attributes on input and does not escape them on output.

When a Contributor-level user embeds a malicious shortcode invocation into a post or page, the supplied attribute values are rendered inline as HTML. Browsers parse the injected payload as part of the page DOM, executing attacker-controlled JavaScript whenever any user views the page.

Because the script executes in the browser context of the viewing user, an attacker can hijack sessions, exfiltrate cookies, perform actions on behalf of administrators, or pivot to additional WordPress accounts. The scope change (S:C) reflects script execution affecting the security context of any visitor, including higher-privileged users.

Root Cause

The root cause is missing input sanitization and output escaping on shortcode attributes processed in class-alg-wc-cog-products.php at lines 119, 133, and 158. Attribute values flow directly from shortcode_atts into rendered HTML without calls to esc_attr, esc_html, or wp_kses to neutralize HTML and JavaScript content.

Attack Vector

Exploitation requires an authenticated WordPress account with at least Contributor-level privileges. The attacker authors a post containing the vulnerable shortcode with attribute values that carry a JavaScript payload. After submission, the payload persists in the post content. Any subsequent visitor, including administrators reviewing pending posts, triggers script execution in their browser session. The attack is network-accessible and requires no user interaction beyond loading the affected page.

The vulnerability is described in the Wordfence Vulnerability Report and the underlying code paths can be reviewed in the WordPress plugin source.

Detection Methods for CVE-2026-6962

Indicators of Compromise

• Posts or pages containing [alg_wc_cog_product_cost] or [alg_wc_cog_product_profit] shortcodes with attribute values that include HTML tags, <script> blocks, or JavaScript event handlers such as onerror= and onload=.
• Unexpected outbound browser requests from administrator sessions to attacker-controlled domains after viewing posts authored by Contributor accounts.
• New or modified post records in wp_posts authored by low-privileged users containing encoded payloads such as javascript:, &#x sequences, or base64 strings within shortcode attributes.

Detection Strategies

• Scan the WordPress database for shortcode usage referencing the vulnerable shortcodes and inspect attribute values for HTML or script content.
• Deploy web application firewall (WAF) rules that flag shortcode attribute values containing angle brackets, script, or DOM event handlers.
• Review WordPress audit logs for Contributor accounts submitting posts that include shortcodes outside expected business patterns.

Monitoring Recommendations

• Monitor administrator and editor browser sessions for anomalous JavaScript execution, cookie access, or unauthorized API requests to /wp-admin/admin-ajax.php.
• Alert on creation or modification of WordPress user accounts and role changes immediately following Contributor post submissions.
• Track plugin version inventory across WordPress deployments to identify hosts still running Cost of Goods versions at or below 4.1.0.

How to Mitigate CVE-2026-6962

Immediate Actions Required

• Update the Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin to a version newer than 4.1.0 as published in the vendor changeset.
• Audit existing post and page content for instances of the vulnerable shortcodes and remove or sanitize attribute values containing HTML or JavaScript.
• Review Contributor, Author, and Editor accounts for unexpected activity and rotate credentials for accounts showing suspicious post submissions.

Patch Information

The vendor released a fix tracked in the WordPress plugin changeset 3524832 for the cost-of-goods-for-woocommerce repository. Site administrators should apply the patched version through the WordPress plugin updater or by replacing the plugin files manually.

Workarounds

• Deactivate the Cost of Goods plugin until the patched version is installed if business operations permit.
• Restrict Contributor-level account provisioning and require Editor or Administrator review before publishing any content containing shortcodes.
• Deploy a WAF rule that blocks POST requests to /wp-admin/post.php containing the vulnerable shortcode names paired with HTML tag characters in attribute values.

# Example: WP-CLI command to identify posts containing the vulnerable shortcodes
wp db query "SELECT ID, post_author, post_status FROM wp_posts WHERE post_content LIKE '%alg_wc_cog_product_cost%' OR post_content LIKE '%alg_wc_cog_product_profit%';"