Cart Lift
Monthly
Stored cross-site scripting in the RexTheme Cart Lift WordPress plugin (versions up to and including 3.1.57) lets an attacker persist malicious JavaScript that executes in a victim's browser when the affected page is viewed. Because the CVSS scope is marked changed, injected script can affect resources beyond the vulnerable component, such as the WordPress admin session viewing abandoned-cart data. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but stored XSS in a customer-facing e-commerce recovery plugin is a realistic session-hijacking and admin-compromise vector.
Stored cross-site scripting in the RexTheme Cart Lift WordPress plugin (versions up to and including 3.1.57) lets an attacker persist malicious JavaScript that executes in a victim's browser when the affected page is viewed. Because the CVSS scope is marked changed, injected script can affect resources beyond the vulnerable component, such as the WordPress admin session viewing abandoned-cart data. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but stored XSS in a customer-facing e-commerce recovery plugin is a realistic session-hijacking and admin-compromise vector.