Skip to main content

MC WooCommerce Wishlist EUVDEUVD-2026-41355

| CVE-2026-57356 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-xfpp-93xp-3xr4
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable unauthenticated injection needing victim interaction (UI:R); browser-context execution in site origin justifies scope change (S:C) with limited C/I/A impact typical of XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 12:15 vuln.today
CVE Published
Jul 02, 2026 - 11:15 cve.org
HIGH 7.1

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in MC Woocommerce Wishlist <= 1.9.19 versions.

AnalysisAI

Reflected/stored cross-site scripting in the MC WooCommerce Wishlist WordPress plugin (also distributed as 'Smart Wishlist for MoreConvert') affects all versions up to and including 1.9.19, letting remote unauthenticated attackers inject malicious script that executes in a victim's browser after the victim interacts with a crafted link or request. The scope-changed CVSS 3.1 score of 7.1 reflects that injected script runs in the WordPress site's origin, enabling session/cookie theft or actions against other users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft wishlist request with XSS payload
Delivery
Deliver malicious link to victim
Exploit
Victim opens link on store
Execution
Unsanitized input rendered in page
Persist
Script executes in victim origin
Impact
Steal session or act as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site runs MC WooCommerce Wishlist version 1.9.19 or earlier and that a victim interacts with attacker-supplied content (UI:R) - for reflected XSS, clicking a crafted link to the vulnerable wishlist parameter/endpoint; for stored XSS, viewing a page where the injected wishlist data is rendered. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base 7.1) indicates a network-reachable, low-complexity, unauthenticated attack that nevertheless requires user interaction, with a scope change (S:C) inflating the score because injected script executes in the site origin against other users. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or request to a vulnerable wishlist endpoint embedding malicious JavaScript, then lures a shopper or logged-in store user to open it (e.g., via email, forum post, or ad). When the page renders the unsanitized input, the script executes in the victim's browser under the store's origin, allowing session/cookie theft or actions performed as the victim. …
Remediation Upgrade the plugin to a version later than 1.9.19; however, no vendor-released patched version is identified in the provided data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/smart-wishlist-for-more-convert/vulnerability/wordpress-mc-woocommerce-wishlist-plugin-1-9-19-cross-site-scripting-xss-vulnerability) and the WordPress.org plugin page for the fixed release before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for MC WooCommerce Wishlist plugin presence; immediately disable or deactivate all instances running version 1.9.19 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41355 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy