Description
The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcsm_text_rotator` shortcode in all versions up to, and including, 4.2.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-28
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The WPC Smart Messages for WooCommerce plugin contains a stored XSS flaw that originates from insufficient sanitization and escaping of the "text" attribute in the wpcsm_text_rotator shortcode. A contributor‑level or higher authenticated attacker can embed arbitrary JavaScript into this attribute, and the script will execute in a browser when any user views a page containing the shortened content.

Affected Systems

WordPress sites that have the WPC Smart Messages for WooCommerce plugin installed and running any version up to and including 4.2.8 are impacted. The flaw requires that the user have the ability to modify content, such as a contributor role or higher, on the affected site.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. Exploitation can only occur with a valid contributor‑level or higher account, which limits the attacker pool but remains a concern in communities with many contributors. No EPSS data is available, and the vulnerability has not been listed in CISA’s KEV catalogue. Once a malicious script is stored, any site visitor who views the page will have the code executed in their browser, providing a client‑side code execution vector.

Generated by OpenCVE AI on April 28, 2026 at 19:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPC Smart Messages for WooCommerce plugin to the latest available release, ensuring that the change to sanitize or escape the "text" attribute is documented in the changelog or release notes.
  • Review and tighten contributor‑level and higher role assignments, granting content‑editing privileges only to trusted users.
  • Implement a content security policy that restricts inline scripts or limits script sources to approved domains to mitigate the impact of any residual injections.

Generated by OpenCVE AI on April 28, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Smart Messages For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Smart Messages For Woocommerce

Tue, 28 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcsm_text_rotator` shortcode in all versions up to, and including, 4.2.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WPC Smart Messages for WooCommerce <= 4.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpclever Wpc Smart Messages For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-28T12:37:42.870Z

Reserved: 2026-04-20T20:17:32.334Z

Link: CVE-2026-6725

cve-icon Vulnrichment

Updated: 2026-04-28T12:37:03.256Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T06:16:04.600

Modified: 2026-04-28T20:26:04.673

Link: CVE-2026-6725

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:30:27Z

Weaknesses