Description
Unauthenticated Cross Site Scripting (XSS) in MC Woocommerce Wishlist <= 1.9.19 versions.
Published: 2026-07-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Cross Site Scripting (XSS) exists in all MC Woocommerce Wishlist plugin releases up to and including 1.9.19. The flaw allows an attacker to inject arbitrary scripts that execute within the browsers of any user visiting the affected wishlist pages. This can lead to session hijacking, theft of credentials, or defacement of site content. The vulnerability is a classic example of CWE-79, a weakness in user input handling that fails to properly sanitize or encode output.

Affected Systems

The vulnerability targets the MC Woocommerce Wishlist plugin developed by the Moreconvert team. Any WordPress site that runs this plugin on version 1.9.19 or earlier is impacted. The plugin is used to manage wishlists in WooCommerce-powered e‑commerce sites.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, while the EPSS score is not available and the issue is not listed in the CISA KEV catalog. Because the exploit is unauthenticated, an attacker can trigger the vulnerability simply by loading a crafted URL or by entering malicious data into the wishlist interface. Once executed, the injected script runs with the privileges of the visitor’s browser, providing an opportunity for further compromise. The lack of a detection flag in KEV suggests that the flaw has not yet been widely seen in the wild, but the high scoring CVSS suggests a potentially significant impact if exploited.

Generated by OpenCVE AI on July 2, 2026 at 15:17 UTC.

Remediation

Vendor Solution

Update the WordPress MC Woocommerce Wishlist Plugin to the latest available version (at least 1.9.20).


OpenCVE Recommended Actions

  • Update the MC Woocommerce Wishlist Plugin to version 1.9.20 or later, ensuring that all known fixes are applied.
  • Apply proper output escaping to any user supplied data rendered on wishlist pages to guarantee that injected characters are treated as harmless text.
  • Implement a strict Content Security Policy that only allows scripts from trusted origins, thereby limiting the damage of any residual XSS attempts.

Generated by OpenCVE AI on July 2, 2026 at 15:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Scripting (XSS) in MC Woocommerce Wishlist <= 1.9.19 versions.
Title WordPress MC Woocommerce Wishlist plugin <= 1.9.19 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T11:26:36.395Z

Reserved: 2026-06-24T12:45:36.889Z

Link: CVE-2026-57356

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:30:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')