Platform
wordpress
Component
woo-abandoned-cart-recovery
Fixed in
1.1.11
CVE-2026-32526 identifies a Stored Cross-Site Scripting (XSS) vulnerability within the VillaTheme Abandoned Cart Recovery for WooCommerce plugin. This flaw allows attackers to inject malicious scripts that are then stored and executed when other users interact with the affected plugin features. Versions of the plugin prior to 1.1.11 are vulnerable, and a patch has been released to address the issue.
The Stored XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the plugin's data storage. When a legitimate user views a page containing the injected script, the script executes in their browser context. This can lead to various malicious outcomes, including session hijacking, redirection to phishing sites, defacement of the website, and theft of sensitive user data like login credentials or personal information. The impact is amplified if the plugin is widely used or handles sensitive data, potentially affecting a large number of users and compromising the integrity of the entire WooCommerce store.
CVE-2026-32526 was publicly disclosed on 2026-03-25. There are currently no known public proof-of-concept exploits available, but the vulnerability's ease of exploitation suggests it could be targeted by opportunistic attackers. The CVSS score of 7.1 (HIGH) indicates a significant risk. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (11% percentile)
CVSS Vector
The primary mitigation is to immediately upgrade the Abandoned Cart Recovery for WooCommerce plugin to version 1.1.11 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent further exploitation. While a direct fix is preferred, web application firewalls (WAFs) can be configured to filter out suspicious XSS payloads targeting the plugin's endpoints. Regularly review and sanitize user inputs within the plugin's code to prevent future XSS vulnerabilities. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload through the plugin's input fields and verifying that it does not execute.
Update to version 1.1.11, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32526 is a Stored Cross-Site Scripting (XSS) vulnerability in the VillaTheme Abandoned Cart Recovery for WooCommerce plugin, allowing attackers to inject malicious scripts.
You are affected if you are using Abandoned Cart Recovery for WooCommerce versions prior to 1.1.11. Upgrade immediately to mitigate the risk.
Upgrade the plugin to version 1.1.11 or later. If upgrading is not possible, temporarily disable the plugin.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests it could be targeted.
Refer to the VillaTheme website and WooCommerce plugin repository for the latest security advisories and updates regarding CVE-2026-32526.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.