Description
Subscriber Cross Site Scripting (XSS) in SureCart <= 4.2.2 versions.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a subscriber Cross Site Scripting flaw in the SureCart WordPress plugin through version 4.2.2. It allows attackers to inject arbitrary HTML or JavaScript into content that is rendered to site visitors, potentially enabling theft of session cookies, phishing, or defacement. This weakness is classified as CWE‑79.

Affected Systems

Any WordPress site running the SureCart plugin version 4.2.2 or earlier is affected. The vendor/product designation is SureCart: SureCart.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. The EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalogue, suggesting no known widespread exploitation. The likely attack vector is through the web interface, where a malicious subscriber or targeted visitor can trigger the stored script. When combined with social engineering or misuse of the subscriber form, the risk to confidentiality and integrity of website data is significant.

Generated by OpenCVE AI on June 26, 2026 at 17:06 UTC.

Remediation

Vendor Solution

Update the WordPress SureCart Plugin to the latest available version (at least 4.2.3).

OpenCVE Recommended Actions

  • Update the SureCart WordPress plugin to the latest stable release, at least version 4.2.3.
  • Validate or sanitize any subscriber input that is displayed to other users, ensuring that only allowed tags are rendered.
  • Review the plugin’s settings to disable or restrict features that accept user‑supplied HTML, if they are not needed.

Generated by OpenCVE AI on June 26, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Surecart
Surecart surecart
Wordpress
Wordpress wordpress
Vendors & Products Surecart
Surecart surecart
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Subscriber Cross Site Scripting (XSS) in SureCart <= 4.2.2 versions.
Title WordPress SureCart plugin <= 4.2.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Surecart Surecart
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:39:38.472Z

Reserved: 2026-06-24T12:44:58.566Z

Link: CVE-2026-57313

cve-icon Vulnrichment

Updated: 2026-06-26T15:39:34.225Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:15:02Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')