Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Stored XSS.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input in the Smart Online Order for Clover WordPress plugin results in a stored cross‑site scripting vulnerability. When an attacker injects malicious JavaScript into the plugin’s data, the script runs in the browser of any user who views the affected page. This can lead to session hijacking, phishing attacks, defacement, or other client‑side compromise. The weakness is a classic input validation flaw identified as CWE‑79.

Affected Systems

The vulnerability affects the ZAYTECH Smart Online Order for Clover plugin for WordPress with versions up to and including 1.6.0. Any WordPress site that has installed the plugin in those versions is susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. No EPSS score is available, so the probability of exploitation cannot be quantified from the data; the vulnerability is not currently listed in the CISA KEV catalog, implying that no widely known exploits exist at this time. The most probable attack vector is web‑based; an attacker would need to submit malicious input through the plugin’s management interface, which will then be displayed to end users.

Generated by OpenCVE AI on May 27, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Smart Online Order for Clover plugin to version 1.6.1 or later.
  • If an upgrade is not immediately possible, disable or uninstall the plugin to prevent user exposure.
  • Review the WordPress installation for any unintended or modified plugin files and perform a site‑wide vulnerability scan.

Generated by OpenCVE AI on May 27, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Zaytech
Zaytech smart Online Order For Clover
Vendors & Products Wordpress
Wordpress wordpress
Zaytech
Zaytech smart Online Order For Clover

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Stored XSS.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.
Title WordPress Smart Online Order for Clover plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
Zaytech Smart Online Order For Clover
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:51:56.288Z

Reserved: 2026-04-29T09:05:25.570Z

Link: CVE-2026-42738

cve-icon Vulnrichment

Updated: 2026-05-27T10:51:51.707Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T11:16:20.470

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-42738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T14:15:17Z

Weaknesses