Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Mini Ajax Cart for WooCommerce allows Stored XSS.This issue affects Mini Ajax Cart for WooCommerce: from n/a through 1.3.4.
Published: 2026-04-15
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The flaw is a stored cross‑site scripting vulnerability that allows an attacker to inject and store malicious JavaScript in the Mini Ajax Cart for WooCommerce plugin data. When users load the cart page, the unsanitized input is rendered in the browser, which can lead to defacement, cookie theft, or session hijacking. This weakness falls under the category of insecure input handling (CWE‑79).

Affected Systems

Vendors: HashThemes; Product: Mini Ajax Cart for WooCommerce plugin. All releases up through 1.3.4 are affected, including the initial release through that version.

Risk and Exploitability

The CVSS v3.1 score is 5.9, indicating a medium severity issue. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploitation. Likely attack paths involve submitting malicious data through the cart interfaces, which is stored and later displayed to any user who views the cart. While the flaw does not provide direct server‐side code execution or privilege escalation, an attacker can compromise the browsing session of any visitor to the site.

Generated by OpenCVE AI on April 15, 2026 at 19:21 UTC.

Remediation

Vendor Solution

Update the WordPress Mini Ajax Cart for WooCommerce Plugin to the latest available version (at least 1.3.5).

OpenCVE Recommended Actions

  • Update the WordPress Mini Ajax Cart for WooCommerce Plugin to version 1.3.5 or later.
  • Configure a web application firewall or similar filtering to block or sanitize script payloads submitted to the cart fields.
  • If the plugin is not essential, disable or remove it until a secure version is available.

Generated by OpenCVE AI on April 15, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Hashthemes
Hashthemes mini Ajax Cart For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Hashthemes
Hashthemes mini Ajax Cart For Woocommerce
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Mini Ajax Cart for WooCommerce allows Stored XSS.This issue affects Mini Ajax Cart for WooCommerce: from n/a through 1.3.4.
Title WordPress Mini Ajax Cart for WooCommerce plugin <= 1.3.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Hashthemes Mini Ajax Cart For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-15T16:02:14.957Z

Reserved: 2026-04-15T16:00:56.964Z

Link: CVE-2026-6370

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:06.387

Modified: 2026-04-15T17:17:06.387

Link: CVE-2026-6370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:02:25Z

Weaknesses