Description
Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce – YourPlugins.com yourplugins-wc-conditional-cart-notices allows Stored XSS.This issue affects Conditional Cart Messages for WooCommerce – YourPlugins.com: from n/a through <= 1.2.10.
Published: 2025-09-26
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery flaw that lets an attacker inject malicious JavaScript into the plugin’s cart notice fields, enabling stored cross‑site scripting. Classified as CWE‑352, it has a CVSS score of 7.1, indicating high potential impact if exploited, but the EPSS score is less than 1% and it is not listed in CISA’s KEV catalog.

Affected Systems

All installations of the WordPress plugin Conditional Cart Messages for WooCommerce – YourPlugins.com running version 1.2.10 or earlier are affected. The earliest release up to 1.2.10 contains the flaw, and only upgrading past that version removes the vulnerability.

Risk and Exploitability

Exploitation requires an attacker to convince a logged‑in user, preferably an administrator or shop owner, to submit a crafted POST request to the cart notice endpoint without a valid nonce. Once the malicious script is stored, it will execute in the browsers of all visitors, providing persistent client‑side code execution. While recorded exploitation attempts are rare (EPSS < 1%) and it is not currently a known exploited vulnerability, the high CVSS score and the persistence of the stored XSS make it a serious threat.

Generated by OpenCVE AI on April 30, 2026 at 05:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Conditional Cart Messages for WooCommerce plugin to the latest version (>=1.2.11) to eliminate the CSRF flaw.
  • If an immediate upgrade is not possible, temporarily disable or uninstall the plugin until a patched version is installed, preventing the stored XSS vector from being used.
  • Add site‑wide CSRF protection—such as using a security plugin that enforces nonce checks on all POST requests—to further guard against similar exploits until the plugin is updated.

Generated by OpenCVE AI on April 30, 2026 at 05:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31235 Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce &#8211; YourPlugins.com allows Stored XSS. This issue affects Conditional Cart Messages for WooCommerce &#8211; YourPlugins.com: from n/a through 1.2.10.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce &#8211; YourPlugins.com yourplugins-wc-conditional-cart-notices allows Stored XSS.This issue affects Conditional Cart Messages for WooCommerce &#8211; YourPlugins.com: from n/a through <= 1.2.10. Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce – YourPlugins.com yourplugins-wc-conditional-cart-notices allows Stored XSS.This issue affects Conditional Cart Messages for WooCommerce – YourPlugins.com: from n/a through <= 1.2.10.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce &#8211; YourPlugins.com allows Stored XSS. This issue affects Conditional Cart Messages for WooCommerce &#8211; YourPlugins.com: from n/a through 1.2.10. Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce &#8211; YourPlugins.com yourplugins-wc-conditional-cart-notices allows Stored XSS.This issue affects Conditional Cart Messages for WooCommerce &#8211; YourPlugins.com: from n/a through <= 1.2.10.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Yourplugins
Yourplugins conditional Cart Messages For Woocommerce
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Yourplugins
Yourplugins conditional Cart Messages For Woocommerce

Fri, 26 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce &#8211; YourPlugins.com allows Stored XSS. This issue affects Conditional Cart Messages for WooCommerce &#8211; YourPlugins.com: from n/a through 1.2.10.
Title WordPress Conditional Cart Messages for WooCommerce – YourPlugins.com Plugin <= 1.2.10 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
Yourplugins Conditional Cart Messages For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:56.385Z

Reserved: 2025-09-25T15:28:19.137Z

Link: CVE-2025-60171

cve-icon Vulnrichment

Updated: 2025-09-26T13:20:02.110Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:47.023

Modified: 2026-04-28T19:34:39.860

Link: CVE-2025-60171

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:00:12Z

Weaknesses