Skip to main content

Smart Online Order for Clover EUVDEUVD-2026-32190

| CVE-2026-42738 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 audit@patchstack.com GHSA-c66j-895v-3r49
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:32 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Stored XSS.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.

AnalysisAI

Stored cross-site scripting in the Smart Online Order for Clover WordPress plugin by ZAYTECH (versions up to and including 1.6.0) lets attackers inject persistent JavaScript that executes when a victim - typically a store administrator - loads the affected page. Because the CVSS vector marks privileges as none (PR:N) but user interaction as required (UI:R), the malicious input can be planted without authentication and is triggered later when a privileged user views it. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.03%, 10th percentile), indicating exploitation is not currently widespread.

Technical ContextAI

The flaw is a CWE-79 (Improper Neutralization of Input During Web Page Generation) stored XSS in a WordPress plugin that integrates Clover point-of-sale online ordering into WordPress sites. Stored XSS occurs when user-supplied data is persisted server-side (e.g., in the WordPress database) and later rendered into an HTML page without proper output encoding or input sanitization, allowing the browser to interpret attacker content as executable script. The CVSS scope change (S:C) indicates the injected script executes in a security context different from the vulnerable component - characteristic of XSS, where code runs in the victim's browser session rather than the plugin's own boundary. No CPE strings were supplied in the input; affected-product identification is based on the ENISA EUVD entry and the plugin slug clover-online-orders.

RemediationAI

No vendor-released patch version is identified at time of analysis - the affected range 'through ≤ 1.6.0' does not specify a fixed release, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/clover-online-orders/vulnerability/wordpress-smart-online-order-for-clover-plugin-1-6-0-cross-site-scripting-xss-vulnerability?_s_id=cve) and the WordPress plugin page for any version released after 1.6.0 and upgrade to it immediately once available. Until a fix exists, specific compensating controls include: deploying a Web Application Firewall (such as Patchstack's or Wordfence's virtual patching) with XSS rules covering the plugin's input fields, which adds latency and risk of false positives on legitimate order data; restricting or sanitizing the order-input fields the plugin exposes to untrusted customers, at the cost of reduced ordering functionality; and applying a Content-Security-Policy header that disallows inline script execution to blunt payload execution, with the trade-off that strict CSP can break other plugins or theme features. If the plugin is non-essential, deactivating it entirely is the most reliable mitigation.

Share

EUVD-2026-32190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy