Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable unauthenticated injection needing victim interaction (UI:R); browser-context execution in site origin justifies scope change (S:C) with limited C/I/A impact typical of XSS.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in MC Woocommerce Wishlist <= 1.9.19 versions.
AnalysisAI
Reflected/stored cross-site scripting in the MC WooCommerce Wishlist WordPress plugin (also distributed as 'Smart Wishlist for MoreConvert') affects all versions up to and including 1.9.19, letting remote unauthenticated attackers inject malicious script that executes in a victim's browser after the victim interacts with a crafted link or request. The scope-changed CVSS 3.1 score of 7.1 reflects that injected script runs in the WordPress site's origin, enabling session/cookie theft or actions against other users. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target WordPress site runs MC WooCommerce Wishlist version 1.9.19 or earlier and that a victim interacts with attacker-supplied content (UI:R) - for reflected XSS, clicking a crafted link to the vulnerable wishlist parameter/endpoint; for stored XSS, viewing a page where the injected wishlist data is rendered. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base 7.1) indicates a network-reachable, low-complexity, unauthenticated attack that nevertheless requires user interaction, with a scope change (S:C) inflating the score because injected script executes in the site origin against other users. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or request to a vulnerable wishlist endpoint embedding malicious JavaScript, then lures a shopper or logged-in store user to open it (e.g., via email, forum post, or ad). When the page renders the unsanitized input, the script executes in the victim's browser under the store's origin, allowing session/cookie theft or actions performed as the victim. … |
| Remediation | Upgrade the plugin to a version later than 1.9.19; however, no vendor-released patched version is identified in the provided data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/smart-wishlist-for-more-convert/vulnerability/wordpress-mc-woocommerce-wishlist-plugin-1-9-19-cross-site-scripting-xss-vulnerability) and the WordPress.org plugin page for the fixed release before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for MC WooCommerce Wishlist plugin presence; immediately disable or deactivate all instances running version 1.9.19 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41355
GHSA-xfpp-93xp-3xr4