Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Abandoned Cart Recovery for WooCommerce woo-abandoned-cart-recovery allows Stored XSS.This issue affects Abandoned Cart Recovery for WooCommerce: from n/a through <= 1.1.10.
Published: 2026-03-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw caused by improper input neutralization when generating web pages. An attacker can inject malicious JavaScript that is stored by the Abandoned Cart Recovery for WooCommerce plugin and then executed in a victim’s browser. This may allow data theft, session hijacking, or defacement of the site. The weakness is identified as CWE‑79. The impact is primarily on confidentiality and integrity of users’ session data and on the availability of trusted site functionality.

Affected Systems

VillaTheme’s Abandoned Cart Recovery for WooCommerce plugin for WordPress is affected. All releases from the earliest version up through 1.1.10 are vulnerable. Application owners should verify that their site is running any of these versions before applying a fix.

Risk and Exploitability

The CVSS score of 7.1 indicates substantial risk; the EPSS score is not available, and the vulnerability is not listed in the KEV catalog. Attackers can exploit the flaw by submitting malicious input via the plugin’s storage mechanism, which is then rendered on pages accessed by site administrators or customers. Exploitation does not require elevated privileges and can be performed remotely through the public interface. Due to the stored nature of the flaw, any injected script remains on the site until removed or overwritten.

Generated by OpenCVE AI on March 25, 2026 at 22:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current plugin version on your WordPress installation.
  • If you are on version 1.1.10 or earlier, upgrade to the latest release, which contains the XSS fix.
  • After updating, test site functionality and confirm that malicious input is no longer executed.
  • If an upgrade is not immediately possible, restrict the plugin’s functionality and monitor for any signs of exploitation.

Generated by OpenCVE AI on March 25, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Villatheme
Villatheme abandoned Cart Recovery For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Villatheme
Villatheme abandoned Cart Recovery For Woocommerce
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Abandoned Cart Recovery for WooCommerce woo-abandoned-cart-recovery allows Stored XSS.This issue affects Abandoned Cart Recovery for WooCommerce: from n/a through <= 1.1.10.
Title WordPress Abandoned Cart Recovery for WooCommerce plugin <= 1.1.10 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Villatheme Abandoned Cart Recovery For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:13:18.135Z

Reserved: 2026-03-12T11:12:19.949Z

Link: CVE-2026-32526

cve-icon Vulnrichment

Updated: 2026-03-25T20:03:17.949Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:17:05.717

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:23Z

Weaknesses