Description
The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings fields (including 'Navigation Font Size', 'Navigation Font Weight', 'Heading Font Size', 'Heading Font Weight', 'Text Font Size', and 'Text Font Weight') in all versions up to and including 1.0.4. This is due to insufficient input sanitization (no sanitize callback in register_setting()) and missing output escaping (no esc_attr() in the field_callback() printf output) on user-supplied values. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever a user accesses the settings page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-04-09
Score: 4.4 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Settings page of the Experto Dashboard for WooCommerce plugin where certain fields such as ‘Navigation Font Size’, ‘Navigation Font Weight’, ‘Heading Font Size’, ‘Heading Font Weight’, ‘Text Font Size’, and ‘Text Font Weight’ are stored without sanitization or escaping. This permits an authenticated user with Administrator or higher privileges to embed arbitrary JavaScript that will run for any user who visits the Settings page, enabling the attacker to perform actions such as phishing, cookie theft, or defacement.

Affected Systems

The affected product is the Experto Dashboard for WooCommerce plugin by uxdexperts, available for WordPress installations. All releases up to and including version 1.0.4 are vulnerable. The issue manifests only in multi‑site WordPress environments where the unfiltered_html capability is disabled, and the attacker must have permission to edit plugin settings.

Risk and Exploitability

The CVSS score of 4.4 places the severity in the moderate range, and because the exploit requires authenticated access it is less likely to be abused broadly. No EPSS score is available and the vulnerability is not currently listed in the CISA KEV catalog, which suggests limited public exploitation. Nevertheless the impact of an attacker executing arbitrary code for other site users remains significant, and the issue can be leveraged to compromise the entire WordPress installation if additional weaknesses exist.

Generated by OpenCVE AI on April 9, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Experto Dashboard for WooCommerce plugin to the latest version that removes the vulnerable settings handling.
  • If an upgrade cannot be performed immediately, limit access to the Settings page by removing or restricting the editor privileges for roles other than the site administrator.
  • Consider disabling the multi‑site feature or enabling the unfiltered_html capability only for trusted users while the plugin is pending a patch.
  • Perform a security review of all other plugins and theme settings to ensure similar unsanitized inputs are not present.

Generated by OpenCVE AI on April 9, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Uxdexperts
Uxdexperts experto Dashboard For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Uxdexperts
Uxdexperts experto Dashboard For Woocommerce
Wordpress
Wordpress wordpress

Thu, 09 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Description The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings fields (including 'Navigation Font Size', 'Navigation Font Weight', 'Heading Font Size', 'Heading Font Weight', 'Text Font Size', and 'Text Font Weight') in all versions up to and including 1.0.4. This is due to insufficient input sanitization (no sanitize callback in register_setting()) and missing output escaping (no esc_attr() in the field_callback() printf output) on user-supplied values. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever a user accesses the settings page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Experto Dashboard for WooCommerce <= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Navigation Font Size' Setting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Uxdexperts Experto Dashboard For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-09T02:25:06.330Z

Reserved: 2026-03-04T21:32:51.658Z

Link: CVE-2026-3574

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-09T04:17:10.990

Modified: 2026-04-09T04:17:10.990

Link: CVE-2026-3574

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:11Z

Weaknesses