Skip to main content

Min Max Step Quantity Limits Manager for WooCommerce CVE-2026-39437

| EUVDEUVD-2026-37044 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 Patchstack GHSA-rv8c-72rj-h273
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS reachable over the network without authentication but requiring a victim click; payload runs in WordPress origin, changing scope, with limited C/I/A impact on the admin session.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 10:28 vuln.today
CVE Published
Jun 16, 2026 - 09:00 cve.org
HIGH 7.1

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions.

AnalysisAI

Reflected cross-site scripting in the WPFactory 'Min Max Step Quantity Limits Manager for WooCommerce' WordPress plugin (versions 5.2.2 and earlier) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser after the victim clicks a crafted link. The CVSS 3.1 score of 7.1 is elevated by a scope change (S:C), reflecting that script execution can affect the WordPress admin context, but exploitation requires user interaction (UI:R). No public exploit was identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw in a WooCommerce extension plugin distributed by WPFactory (CPE cpe:2.3:a:wpfactory:min_max_step_quantity_limits_manager_for_woocommerce). The plugin extends WooCommerce - the dominant e-commerce framework for WordPress - by allowing merchants to enforce minimum, maximum, and step quantity rules on products. CWE-79 reflected XSS occurs when user-supplied input is echoed back into an HTTP response without proper output encoding or input sanitization, allowing attacker-controlled HTML/JavaScript to execute in the victim's browser under the origin of the vulnerable WordPress site. The Patchstack reference characterizes this specifically as a reflected (non-stored) XSS, meaning the malicious payload is delivered via a crafted URL rather than persisted in the database.

RemediationAI

Patch availability is not explicitly confirmed in the input data - the Patchstack advisory describes versions <= 5.2.2 as vulnerable but no fixed version is cited, so administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/product-quantity-for-woocommerce/vulnerability/wordpress-min-max-step-quantity-limits-manager-for-woocommerce-plugin-5-2-2-reflected-cross-site-scripting-xss-vulnerability and the WordPress.org plugin page to install any release newer than 5.2.2 once published. If a fixed version is not yet available, compensating controls include temporarily deactivating the plugin (which will remove any min/max/step quantity rules enforced on the storefront and may allow customers to place orders outside business rules), placing a Web Application Firewall rule in front of wp-admin and the plugin's URL parameters to filter HTML/script payloads (Patchstack's vPatch / Wordfence rules typically cover such cases automatically), and instructing administrators to avoid clicking external links into their own site while authenticated. Long-term, enforce a strict Content Security Policy on wp-admin to limit inline script execution, though many WordPress plugins are not CSP-compatible and this may break admin functionality.

Share

CVE-2026-39437 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy