Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hands01 e-shops e-shops-cart2 allows DOM-Based XSS.This issue affects e-shops: from n/a through <= 1.0.4.
Published: 2026-01-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input that enables a DOM‑based XSS attack. An attacker can inject malicious scripts into the generated web page, potentially leading to session hijacking, data exfiltration, or defacement of the site. The weakness is classified as CWE‑79.

Affected Systems

The issue affects the WordPress e‑shops plugin (e‑shops-cart2) from any version through 1.0.4. Versions 1.0.4 or earlier are vulnerable, regardless of any patch applied after that point. The plugin is distributed by the vendor hands01, and it is a commercial or community‑based WordPress e‑commerce solution.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high risk when the vulnerability is exploitable. The EPSS score of less than 1% suggests that exploitation is currently rare or difficult. The flaw is not listed in CISA’s KEV catalog, and the typical attack vector is web‑based, with a malicious link or crafted input in a URL that the browser processes. In order to succeed the attacker needs access to an affected user’s browser; no special server‑side privileges are required.

Generated by OpenCVE AI on April 29, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the e‑shops plugin to version 1.0.5 or later, removes the DOM‑based XSS flaw.
  • If an update is not immediately available, disable or deactivate the e‑shops plugin until a fix is applied.
  • Apply a Content Security Policy header that disallows inline scripts to reduce the impact of any remaining XSS vectors.

Generated by OpenCVE AI on April 29, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hands01 e-shops e-shops-cart2 allows DOM-Based XSS.This issue affects e-shops: from n/a through <= 1.0.4.
Title WordPress e-shops plugin <= 1.0.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:32.752Z

Reserved: 2025-12-24T14:00:37.598Z

Link: CVE-2025-68890

cve-icon Vulnrichment

Updated: 2026-01-08T14:53:25.352Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T10:15:54.217

Modified: 2026-06-17T09:59:46.417

Link: CVE-2025-68890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:00:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')