Description
Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions.
Published: 2026-06-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject malicious scripts that are reflected in the website’s response without requiring authentication. If exploited, malicious code can run in the browser of any visitor, potentially enabling session hijacking, defacement, or phishing attacks. The weakness is a classic reflected XSS flaw, classified as CWE‑79.

Affected Systems

The flaw affects the WordPress Min Max Step Quantity Limits Manager for WooCommerce plugin versions 5.2.2 and earlier, distributed by WPFactory. Users running any of those versions are impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for a reflected XSS. The EPSS score of less than 1% suggests low but non‑zero exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is an unauthenticated user submitting a crafted URL or input that the plugin reflects back unsanitized, allowing the injection of script payloads.

Generated by OpenCVE AI on June 17, 2026 at 22:44 UTC.

Remediation

Vendor Solution

Update the WordPress Min Max Step Quantity Limits Manager for WooCommerce Plugin to the latest available version (at least 5.2.3).

OpenCVE Recommended Actions

  • Update the WordPress Min Max Step Quantity Limits Manager for WooCommerce Plugin to version 5.2.3 or later.
  • If an immediate upgrade is not feasible, disable or remove the vulnerable plugin from the live environment until a patch can be applied.
  • Deploy a Web Application Firewall rule that detects and blocks reflected XSS payloads targeting the plugin’s input paths to reduce exposure while the patch is pending.

Generated by OpenCVE AI on June 17, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions.
Title WordPress Min Max Step Quantity Limits Manager for WooCommerce plugin <= 5.2.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T16:10:14.168Z

Reserved: 2026-04-07T08:24:21.369Z

Link: CVE-2026-39437

cve-icon Vulnrichment

Updated: 2026-06-16T16:10:09.541Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T10:16:26.970

Modified: 2026-06-16T14:52:36.287

Link: CVE-2026-39437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T22:45:13Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')