Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Subscriber account required (PR:L), victim must view injected content (UI:R), scope changes to admin context (S:C); XSS does not credibly cause availability impact so A:N.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Cross Site Scripting (XSS) in SureCart <= 4.2.2 versions.
AnalysisAI
Stored Cross-Site Scripting in SureCart WordPress plugin versions up to and including 4.2.2 allows authenticated subscribers to inject malicious scripts that execute in the browsers of other users, including administrators. The 'Subscriber' designation in the CVE title confirms exploitation requires only a low-privilege WordPress account, lowering the barrier to attack significantly for sites with open registration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress subscriber-level account on the target site, confirmed by the PR:L metric in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.5 (Medium) reflects a meaningful but bounded risk: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a WordPress site running SureCart <= 4.2.2 and injects a malicious JavaScript payload into a SureCart input field that is stored server-side without proper sanitization. When a site administrator subsequently navigates to an order management or subscriber overview page that renders the tainted data, the script executes in the admin's browser context - enabling session cookie theft, unauthorized admin action execution, or redirection to a phishing page. … |
| Remediation | The primary fix is to upgrade SureCart to a version above 4.2.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39726
GHSA-w82j-fffr-xp84