Skip to main content

SureCart EUVDEUVD-2026-39727

| CVE-2026-57314 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-r26v-75f4-49x2
7.1
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated reflected XSS over the network needing a victim click (UI:R); scope changes into the browser/session context (S:C) with the limited C/I/A impact typical of XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:54 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in SureCart <= 4.3.2 versions.

AnalysisAI

Reflected cross-site scripting in the SureCart WordPress e-commerce plugin (versions 4.3.2 and earlier) lets unauthenticated remote attackers inject browser-executed script by luring a victim to a crafted link. Because the CVSS scope is changed (S:C), the injected payload can act in the security context of the WordPress session, enabling theft of admin session data or actions performed on the victim's behalf. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with XSS payload
Delivery
Deliver link to admin via phishing
Exploit
Victim loads reflected parameter
Execution
Script executes in WordPress session
Impact
Hijack session or act as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires victim interaction (UI:R): the attacker cannot trigger it server-side alone but must convince a user - ideally an authenticated WordPress administrator - to open a crafted link or load a malicious request against a site running SureCart 4.3.2 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.1 reflects a network attack vector with low complexity and no privileges required, but exploitation is gated on user interaction (UI:R) - a victim must click or load the malicious link - and impact is limited (C:L/I:L/A:L), elevated to 7.1 only by the scope change (S:C). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to a SureCart-powered store containing a malicious script payload in a reflected parameter and distributes it via phishing email, social media, or a malicious ad. When a logged-in store administrator or customer clicks the link, the script executes in their browser session, allowing the attacker to steal session data, perform actions as the victim, or stage further attacks. …
Remediation Upgrade SureCart to a release later than 4.3.2 - the advisory frames 4.3.2 as the last vulnerable version, so administrators should apply the next available patched release from the WordPress plugin repository and verify the installed version after updating; no exact fixed version number was included in the provided data, so confirm the patched version against the vendor/Patchstack advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable the SureCart plugin on all affected installations (version 4.3.2 and earlier) or restrict administrative dashboard access to internal IP ranges pending patch availability; audit session logs for unauthorized access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy