Description
The OpenPOS Lite – Point of Sale for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter of the order_qrcode shortcode in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-02-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The OpenPOS Lite – Point of Sale for WooCommerce plugin is vulnerable to a stored cross‑site scripting flaw triggered by the 'width' parameter of the order_qrcode shortcode. Authenticated users with Contributor-level privileges can inject arbitrary JavaScript. When a page containing the compromised shortcode is viewed, the injected script runs in the context of that page, giving the attacker the ability to steal session cookies, modify page content, or deface the site.

Affected Systems

Affected installations include any WordPress site running the OpenPOS Lite plugin up to and including version 3.0. The vulnerability exists in all releases prior to 3.1 and is present wherever the order_qrcode shortcode is used in public or administrative pages.

Risk and Exploitability

The flaw carries a CVSS score of 6.4 (Moderate) and an EPSS probability of less than 1 %, indicating a low overall exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Because it requires only Contributor+ access, a wide range of site contributors could create the malicious payload. Once the shortcode is stored, the script executes for any visitor who loads the affected page, making the attack a persistent threat until remediation.

Generated by OpenCVE AI on April 15, 2026 at 17:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenPOS Lite to the latest release (>=3.1) where the 'width' attribute is properly sanitized.
  • If upgrading immediately is not feasible, remove or disable the order_qrcode shortcode on public‑facing pages to eliminate the stored script vector.
  • Temporarily revoke Contributor‐level permissions from users who are not required to add order_qrcode shortcodes, or reallocate the role with limited capabilities.

Generated by OpenCVE AI on April 15, 2026 at 17:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Openpos
Openpos openpos Lite – Point Of Sale For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Openpos
Openpos openpos Lite – Point Of Sale For Woocommerce
Wordpress
Wordpress wordpress

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description The OpenPOS Lite – Point of Sale for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter of the order_qrcode shortcode in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Openpos Openpos Lite – Point Of Sale For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:27.754Z

Reserved: 2026-02-03T14:23:09.751Z

Link: CVE-2026-1826

cve-icon Vulnrichment

Updated: 2026-02-11T15:37:03.263Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T09:15:52.383

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses