Skip to main content

SureCart CVE-2026-57313

| EUVDEUVD-2026-39726 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-w82j-fffr-xp84
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Subscriber account required (PR:L), victim must view injected content (UI:R), scope changes to admin context (S:C); XSS does not credibly cause availability impact so A:N.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:19 vuln.today

DescriptionCVE.org

Subscriber Cross Site Scripting (XSS) in SureCart <= 4.2.2 versions.

AnalysisAI

Stored Cross-Site Scripting in SureCart WordPress plugin versions up to and including 4.2.2 allows authenticated subscribers to inject malicious scripts that execute in the browsers of other users, including administrators. The 'Subscriber' designation in the CVE title confirms exploitation requires only a low-privilege WordPress account, lowering the barrier to attack significantly for sites with open registration. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register subscriber account on target site
Delivery
Inject XSS payload via SureCart input field
Exploit
Payload stored server-side
Execution
Admin views affected SureCart page
Persist
Malicious script executes in admin browser
Impact
Steal session token or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress subscriber-level account on the target site, confirmed by the PR:L metric in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (Medium) reflects a meaningful but bounded risk: AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running SureCart <= 4.2.2 and injects a malicious JavaScript payload into a SureCart input field that is stored server-side without proper sanitization. When a site administrator subsequently navigates to an order management or subscriber overview page that renders the tainted data, the script executes in the admin's browser context - enabling session cookie theft, unauthorized admin action execution, or redirection to a phishing page. …
Remediation The primary fix is to upgrade SureCart to a version above 4.2.2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy