Description
The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_to_cart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the ectp_add_to_cart() function uses sanitize_text_field() on shortcode attributes like 'itemid', 'product_name', 'product_desc', 'product_qty', and 'price' before inserting them into double-quoted HTML attributes. While sanitize_text_field() strips HTML tags, it does not escape double quote characters, allowing an attacker to break out of the HTML attribute context and inject arbitrary event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-02
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Easy Cart WordPress plugin is vulnerable to stored cross‑site scripting in the 'add_to_cart' shortcode. User input provided in attributes such as itemid, product_name, product_desc, product_qty, and price is sanitized with sanitize_text_field, which removes HTML tags but does not escape double‑quote characters. As these values are inserted directly into double‑quoted HTML attributes, an attacker can inject an arbitrary event‑handler attribute (for example, onmouseover="alert(1)") that will execute whenever the affected page is rendered. The vulnerability does not grant privilege escalation; it is limited to authenticated users with Contributor level or higher who can add or edit content that contains the shortcode. When such a user injects a malicious string, browsers will run the contained JavaScript on every visitor of that page, potentially leading to data theft or account takeover on the victim side.

Affected Systems

This flaw affects all releases of the Easy Cart plugin from the zeshanb vendor up to and including version 1.8. Any WordPress installation that has the plugin deployed and allows authenticated users with Contributor or higher roles to create or edit content containing the 'add_to_cart' shortcode is vulnerable. No specific operating system or PHP version constraints were cited in the advisory.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating a medium severity. No EPSS score is available, so the exploitation probability is currently unknown. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated Contributor or higher user to insert malicious text into a shortcode, and a victim to load a stored page that includes the malicious attribute. Attackers with sufficient privileges can embed scripts that run in the context of site visitors.

Generated by OpenCVE AI on June 2, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Easy Cart to a version that removes the insecure handling of shortcode attributes.
  • If an immediate patch is unavailable, limit the use of the 'add_to_cart' shortcode to trusted administrators or remove it from publicly accessible content.
  • Implement web‑application firewall rules that block injection of unescaped quotes or event‑handler attributes within HTML attributes.

Generated by OpenCVE AI on June 2, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zeshanb
Zeshanb easy Cart
Vendors & Products Wordpress
Wordpress wordpress
Zeshanb
Zeshanb easy Cart

Tue, 02 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_to_cart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the ectp_add_to_cart() function uses sanitize_text_field() on shortcode attributes like 'itemid', 'product_name', 'product_desc', 'product_qty', and 'price' before inserting them into double-quoted HTML attributes. While sanitize_text_field() strips HTML tags, it does not escape double quote characters, allowing an attacker to break out of the HTML attribute context and inject arbitrary event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Easy Cart <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Zeshanb Easy Cart
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-02T10:45:43.560Z

Reserved: 2026-03-12T20:44:26.013Z

Link: CVE-2026-4080

cve-icon Vulnrichment

Updated: 2026-06-02T10:45:38.837Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T09:16:16.507

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-4080

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:51:58Z

Weaknesses