Description
The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Published: 2026-05-02
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Call for Price for WooCommerce plugin for WordPress is vulnerable to stored cross‑site scripting through the administrator configuration of the product type label. The flaw stems from insufficient input sanitization and output escaping, allowing an authenticated attacker with administrator‑level permissions to inject arbitrary JavaScript that executes whenever a user loads a page containing the injected label. This can be leveraged to deface the site, steal session cookies, or perform other client‑side malicious actions.

Affected Systems

TycheSoftware’s Call for Price for WooCommerce plugin is affected in all releases up to and including 4.2.0. The vulnerability is limited to multi‑site WordPress installations where the unfiltered_html option is disabled, and requires an administrator access level to exploit.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate risk. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the administrative settings page of the plugin, requiring evidence of administrator privileges to inject the payload. If an attacker can access these settings, they can load malicious script into the site for all users who view the affected page.

Generated by OpenCVE AI on May 2, 2026 at 10:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Call for Price for WooCommerce plugin to version 4.3 or later, which removes the stored XSS flaw.
  • If an immediate update is not possible, temporarily disable the Call for Price plugin to eliminate stored script injection until a patch is applied.
  • Ensure that label settings are properly validated and escaped, and consider implementing a web application firewall rule to block script injection attempts via administrative input.

Generated by OpenCVE AI on May 2, 2026 at 10:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title Call for Price for WooCommerce <= 4.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Call for Price' Label Settings
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T05:29:29.556Z

Reserved: 2026-04-16T18:33:51.134Z

Link: CVE-2026-6447

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T06:16:04.173

Modified: 2026-05-02T06:16:04.173

Link: CVE-2026-6447

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T10:15:16Z

Weaknesses