Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry & Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS.This issue affects Email Inquiry & Cart Options for WooCommerce: from n/a through <= 3.5.0.
Published: 2026-01-23
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) that allows malicious script execution within user browsers via the WordPress plugin.
Action: Apply Patch
AI Analysis

Impact

The updated vulnerability description reveals a DOM‑based XSS flaw in the Email Inquiry & Cart Options for WooCommerce plugin caused by improper neutralization of user input during page generation. This flaw permits attackers to inject malicious JavaScript that executes in the browsers of site visitors, potentially leading to session hijacking, credential theft, or the display of deceptive content.

Affected Systems

All installations of the Email Inquiry & Cart Options for WooCommerce plugin developed by Steve Truman that use version 3.4.3 or earlier, up to and including 3.5.0 are affected. The flaw exists from the initial release through 3.5.0.

Risk and Exploitability

The CVSS v3.1 base score is 6.5, indicating medium severity. The EPSS score is less than 1%, suggesting a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote—an attacker would exploit the flaw by having a user interact with a crafted request to the plugin’s inquiry or cart functionality. The description does not specify additional prerequisites, so the vulnerability likely requires victim interaction with a malicious link or input field that the plugin fails to sanitize.

Generated by OpenCVE AI on April 28, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Email Inquiry & Cart Options for WooCommerce plugin to the latest available version of the plugin.
  • If an upgrade is not immediately feasible, remove or replace the plugin with an equivalent component that properly validates and sanitizes user input.
  • Deploy a strict Content Security Policy that disallows inline scripts and limits script sources to trusted domains to mitigate the impact of any residual XSS vectors.

Generated by OpenCVE AI on April 28, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry &amp; Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS.This issue affects Email Inquiry &amp; Cart Options for WooCommerce: from n/a through <= 3.5.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry & Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS.This issue affects Email Inquiry & Cart Options for WooCommerce: from n/a through <= 3.5.0.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry &amp; Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS.This issue affects Email Inquiry &amp; Cart Options for WooCommerce: from n/a through <= 3.4.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry &amp; Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS.This issue affects Email Inquiry &amp; Cart Options for WooCommerce: from n/a through <= 3.5.0.

Tue, 27 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Steve Truman
Steve Truman email Inquiry & Cart Options For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Steve Truman
Steve Truman email Inquiry & Cart Options For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry &amp; Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS.This issue affects Email Inquiry &amp; Cart Options for WooCommerce: from n/a through <= 3.4.3.
Title WordPress Email Inquiry & Cart Options for WooCommerce plugin <= 3.4.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Steve Truman Email Inquiry & Cart Options For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:48.806Z

Reserved: 2026-01-23T12:31:31.583Z

Link: CVE-2026-24526

cve-icon Vulnrichment

Updated: 2026-01-27T20:03:49.273Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:08.497

Modified: 2026-04-28T19:36:48.497

Link: CVE-2026-24526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T22:30:41Z

Weaknesses