Impact
Unauthenticated Cross Site Scripting (XSS) exists in all MC Woocommerce Wishlist plugin releases up to and including 1.9.19. The flaw allows an attacker to inject arbitrary scripts that execute within the browsers of any user visiting the affected wishlist pages. This can lead to session hijacking, theft of credentials, or defacement of site content. The vulnerability is a classic example of CWE-79, a weakness in user input handling that fails to properly sanitize or encode output.
Affected Systems
The vulnerability targets the MC Woocommerce Wishlist plugin developed by the Moreconvert team. Any WordPress site that runs this plugin on version 1.9.19 or earlier is impacted. The plugin is used to manage wishlists in WooCommerce-powered e‑commerce sites.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity, while the EPSS score is not available and the issue is not listed in the CISA KEV catalog. Because the exploit is unauthenticated, an attacker can trigger the vulnerability simply by loading a crafted URL or by entering malicious data into the wishlist interface. Once executed, the injected script runs with the privileges of the visitor’s browser, providing an opportunity for further compromise. The lack of a detection flag in KEV suggests that the flaw has not yet been widely seen in the wild, but the high scoring CVSS suggests a potentially significant impact if exploited.
OpenCVE Enrichment