Description
The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-02
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The NextMove Lite – Thank You Page for WooCommerce plugin contains a stored cross‑site scripting flaw in its ‘xlwcty_current_date’ shortcode. Unsanitized user supplied attributes are output directly, allowing an attacker with contributor‑level or higher access to inject malicious scripts. When injected pages are visited, the scripts run in the context of the site, giving the attacker the ability to steal cookies, deface content, redirect users, or launch further attacks. The vulnerability is a classic input‑validation weakness (CWE‑79).

Affected Systems

All WordPress sites running the NextMove Lite – Thank You Page for WooCommerce plugin with a version of 2.23.0 or earlier are impacted. The vulnerability exists in every release up to and including 2.23.0, and any site that has not upgraded beyond that version remains exposed.

Risk and Exploitability

The CVSS score of 6.4 places this flaw in the medium severity range. Because the EPSS score is not available and the flaw is not listed in CISA’s KEV catalogue, the likelihood of immediate exploitation is uncertain, but the required privilege level is relatively low (contributor+). The attack vector, while authenticated, is straightforward for users with the appropriate role, as they can add or modify shortcodes via the WordPress editor or plugin settings.

Generated by OpenCVE AI on May 2, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NextMove Lite plugin to the latest available version (greater than 2.23.0).
  • If an immediate upgrade is not possible, restrict contributor or higher roles from inserting or editing shortcodes, or disable the vulnerable shortcode feature via plugin settings.
  • Deploy a security plugin that enforces content‑security‑policy headers to block suspicious script execution and perform runtime sanitization of user‑provided content.

Generated by OpenCVE AI on May 2, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title NextMove Lite - Thank You Page for WooCommerce <= 2.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'xlwcty_current_date' Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T13:26:10.078Z

Reserved: 2026-01-08T01:07:52.291Z

Link: CVE-2026-0703

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T14:16:17.040

Modified: 2026-05-02T14:16:17.040

Link: CVE-2026-0703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T14:45:44Z

Weaknesses