Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS reachable over the network without authentication but requiring a victim click; payload runs in WordPress origin, changing scope, with limited C/I/A impact on the admin session.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions.
AnalysisAI
Reflected cross-site scripting in the WPFactory 'Min Max Step Quantity Limits Manager for WooCommerce' WordPress plugin (versions 5.2.2 and earlier) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser after the victim clicks a crafted link. The CVSS 3.1 score of 7.1 is elevated by a scope change (S:C), reflecting that script execution can affect the WordPress admin context, but exploitation requires user interaction (UI:R). No public exploit was identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw in a WooCommerce extension plugin distributed by WPFactory (CPE cpe:2.3:a:wpfactory:min_max_step_quantity_limits_manager_for_woocommerce). The plugin extends WooCommerce - the dominant e-commerce framework for WordPress - by allowing merchants to enforce minimum, maximum, and step quantity rules on products. CWE-79 reflected XSS occurs when user-supplied input is echoed back into an HTTP response without proper output encoding or input sanitization, allowing attacker-controlled HTML/JavaScript to execute in the victim's browser under the origin of the vulnerable WordPress site. The Patchstack reference characterizes this specifically as a reflected (non-stored) XSS, meaning the malicious payload is delivered via a crafted URL rather than persisted in the database.
RemediationAI
Patch availability is not explicitly confirmed in the input data - the Patchstack advisory describes versions <= 5.2.2 as vulnerable but no fixed version is cited, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/product-quantity-for-woocommerce/vulnerability/wordpress-min-max-step-quantity-limits-manager-for-woocommerce-plugin-5-2-2-reflected-cross-site-scripting-xss-vulnerability and the WordPress.org plugin page to install any release newer than 5.2.2 once published. If a fixed version is not yet available, compensating controls include temporarily deactivating the plugin (which will remove any min/max/step quantity rules enforced on the storefront and may allow customers to place orders outside business rules), placing a Web Application Firewall rule in front of wp-admin and the plugin's URL parameters to filter HTML/script payloads (Patchstack's vPatch / Wordfence rules typically cover such cases automatically), and instructing administrators to avoid clicking external links into their own site while authenticated. Long-term, enforce a strict Content Security Policy on wp-admin to limit inline script execution, though many WordPress plugins are not CSP-compatible and this may break admin functionality.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37044
GHSA-rv8c-72rj-h273