Description
The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘woowhole_success_msg’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-04-08
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in WordPress WooCommerce plugin
Action: Patch Immediately
AI Analysis

Impact

The Whole Enquiry Cart for WooCommerce plugin for WordPress contains a stored cross‑site scripting flaw because the 'woowhole_success_msg' parameter is not properly sanitized or escaped. An attacker who is authenticated and has administrator-level permissions can inject arbitrary JavaScript code that will be rendered whenever a visitor loads a page containing the injected message. This client‑side code execution can be used to deface the site, steal credentials, or deliver other malicious payloads to site users.

Affected Systems

The vulnerability afflicts every installation of idealwebdesignlk's Whole Enquiry Cart for WooCommerce plugin whose version is 1.2.1 or older. It only exists on WordPress multisite networks where the 'unfiltered_html' capability has been disabled, and it requires the attacker to have administrator or similar high‑privilege access. Sites running newer versions or not using the plugin are not impacted.

Risk and Exploitability

The CVSS Base score is 4.4, indicating medium severity. No EPSS data is available, and the vulnerability is not in the CISA KEV catalog. Exploitation requires prior authentication with administrator privileges; once the malicious script is stored, any site visitor will be exposed to the injected code. Because the flaw is a stored XSS, the potential impact on confidentiality, integrity, or availability of the site and its users is significant, but the likelihood of exploitation is limited without an existing administrator account.

Generated by OpenCVE AI on April 8, 2026 at 08:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Whole Enquiry Cart for WooCommerce plugin to the latest version that removes the vulnerable parameter or sanitizes input.
  • If an upgrade cannot be applied immediately, remove any existing 'woowhole_success_msg' content that may contain injected scripts or delete the plugin configuration that enables the message.
  • Restrict administrator access to trusted users only and consider disabling the unfiltered_html capability for all roles except those that truly require it.
  • Monitor site activity for signs of XSS exploitation, review recent administrator actions, and audit the plugin codebase to ensure no vulnerable input remains.

Generated by OpenCVE AI on April 8, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Idealwebdesignlk
Idealwebdesignlk whole Enquiry Cart For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Idealwebdesignlk
Idealwebdesignlk whole Enquiry Cart For Woocommerce
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘woowhole_success_msg’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Whole Enquiry Cart for WooCommerce <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'woowhole_success_msg' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Idealwebdesignlk Whole Enquiry Cart For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-13T15:15:09.983Z

Reserved: 2026-02-19T21:45:35.857Z

Link: CVE-2026-2838

cve-icon Vulnrichment

Updated: 2026-04-13T15:12:03.342Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T07:16:20.707

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-2838

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:43:35Z

Weaknesses