Description
The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blclass' attribute (and other attributes) of the romancart_button shortcode in versions up to, and including, 2.0.8. This is due to insufficient input sanitization and output escaping on user supplied attributes within the romancart_button_shortcode() function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-09
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The RomanCart Ecommerce plugin for WordPress is vulnerable to a stored cross‑site scripting flaw caused by insufficient sanitization and escaping of user supplied attributes in the romancart_button shortcode. Authenticated users with contributor or higher privileges can inject arbitrary JavaScript into a button’s attributes such as blclass. Whenever a visitor loads a page containing that button, the injected script runs in their browser, allowing session hijacking, credential theft, or defacement of the site.

Affected Systems

WordPress sites employing the RomanCart Ecommerce plugin, version 2.0.8 or earlier, are affected. Any user who can add or edit the romancart_button shortcode—contributors and above—can exploit this flaw.

Risk and Exploitability

The flaw carries a CVSS score of 6.4, indicating moderate severity. Although the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the need for authenticated access limits the threat to sites with exposed contributor role permissions. The stored XSS payload can hijack user sessions and exfiltrate data, making the risk significant for any site users.

Generated by OpenCVE AI on June 9, 2026 at 06:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the RomanCart Ecommerce plugin to a version that fixes the XSS vulnerability, or uninstall the plugin if no update is available.
  • If the update cannot be applied immediately, remove or disable the romancart_button shortcode functionality for users with contributor or higher roles, or restrict those roles from adding such content.
  • Implement a robust Content Security Policy that disallows inline scripts and only permits trusted external scripts to mitigate the impact of any remaining XSS payloads.

Generated by OpenCVE AI on June 9, 2026 at 06:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Romancartsupport
Romancartsupport romancart Ecommerce
Wordpress
Wordpress wordpress
Vendors & Products Romancartsupport
Romancartsupport romancart Ecommerce
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blclass' attribute (and other attributes) of the romancart_button shortcode in versions up to, and including, 2.0.8. This is due to insufficient input sanitization and output escaping on user supplied attributes within the romancart_button_shortcode() function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title RomanCart Ecommerce <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Romancartsupport Romancart Ecommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-09T15:13:27.293Z

Reserved: 2026-05-18T20:31:15.306Z

Link: CVE-2026-8880

cve-icon Vulnrichment

Updated: 2026-06-09T15:01:32.539Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T05:16:39.643

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-8880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:56:09Z

Weaknesses