Description
The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-04-14
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (stored) allowing arbitrary script execution on affected pages
Action: Apply Patch
AI Analysis

Impact

The WholeSale Products Dynamic Pricing Management WooCommerce plugin contains a stored cross‑site scripting flaw due to insufficient input sanitization and output escaping in the admin settings. Authenticated users with administrator‑level permissions can inject arbitrary JavaScript or other executable content into these settings. When a page reads the affected settings, the injected script executes in the browser of any visitor, potentially allowing cookie theft, session hijacking, or further exploitation of the site. The weakness maps to CWE‑79.

Affected Systems

The vulnerability affects all installations of the WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress up to and including version 1.2. It only applies in multi‑site environments or where the unfiltered_html capability has been disabled, meaning the flaw is relevant to most typical WordPress deployments that use this plugin on multisite setups.

Risk and Exploitability

The CVSS base score of 4.4 puts the issue in the medium severity range. No EPSS score has been published and the vulnerability is not listed in CISA’s KEV catalog, suggesting that it has not yet been widely exploited. Nevertheless, the requirement of administrator access in a multi‑site WordPress installation makes the attack surface significant for sites with a single compromised admin account. An attacker with such privileges can inject persistent scripts via the plugin settings page, which are delivered to every visitor of affected pages.

Generated by OpenCVE AI on April 14, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WholeSale Products Dynamic Pricing Management WooCommerce to the latest version (v1.3 or later).
  • Verify that the unfiltered_html capability is disabled for non‑admin users or in multisite installations.
  • Review and remove any custom scripts that have been inserted via the plugin’s settings.
  • Restrict administrator accounts to prevent accidental insertion of malicious content until a patch is released.

Generated by OpenCVE AI on April 14, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpcodefactory
Wpcodefactory wholesale Products Dynamic Pricing Management Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpcodefactory
Wpcodefactory wholesale Products Dynamic Pricing Management Woocommerce

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title WholeSale Products Dynamic Pricing Management WooCommerce <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpcodefactory Wholesale Products Dynamic Pricing Management Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-14T14:04:52.634Z

Reserved: 2026-03-19T21:10:40.397Z

Link: CVE-2026-4479

cve-icon Vulnrichment

Updated: 2026-04-14T14:04:07.990Z

cve-icon NVD

Status : Deferred

Published: 2026-04-14T04:17:18.717

Modified: 2026-04-22T20:23:16.350

Link: CVE-2026-4479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:51Z

Weaknesses