Platform
wordpress
Component
woo-abandoned-cart-recovery
Opgelost in
1.1.11
CVE-2026-32526 identifies a Stored Cross-Site Scripting (XSS) vulnerability within the VillaTheme Abandoned Cart Recovery for WooCommerce plugin. This flaw allows attackers to inject malicious scripts that are then stored and executed when other users interact with the affected plugin features. Versions of the plugin prior to 1.1.11 are vulnerable, and a patch has been released to address the issue.
The Stored XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the plugin's data storage. When a legitimate user views a page containing the injected script, the script executes in their browser context. This can lead to various malicious outcomes, including session hijacking, redirection to phishing sites, defacement of the website, and theft of sensitive user data like login credentials or personal information. The impact is amplified if the plugin is widely used or handles sensitive data, potentially affecting a large number of users and compromising the integrity of the entire WooCommerce store.
CVE-2026-32526 was publicly disclosed on 2026-03-25. There are currently no known public proof-of-concept exploits available, but the vulnerability's ease of exploitation suggests it could be targeted by opportunistic attackers. The CVSS score of 7.1 (HIGH) indicates a significant risk. It is not currently listed on the CISA KEV catalog.
WooCommerce store owners using the Abandoned Cart Recovery for WooCommerce plugin, particularly those running older versions (prior to 1.1.11), are at risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches.
• wordpress / composer / npm:
grep -r "villaTheme Abandoned Cart Recovery" /var/www/html/wp-content/plugins/
wp plugin list | grep abandoned-cart-recovery• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=abandoned_cart_recovery_save_data | grep -i content-security-policydisclosure
Exploit Status
EPSS
0.04% (11% percentiel)
CVSS-vector
The primary mitigation is to immediately upgrade the Abandoned Cart Recovery for WooCommerce plugin to version 1.1.11 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent further exploitation. While a direct fix is preferred, web application firewalls (WAFs) can be configured to filter out suspicious XSS payloads targeting the plugin's endpoints. Regularly review and sanitize user inputs within the plugin's code to prevent future XSS vulnerabilities. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload through the plugin's input fields and verifying that it does not execute.
Update naar versie 1.1.11, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-32526 is a Stored Cross-Site Scripting (XSS) vulnerability in the VillaTheme Abandoned Cart Recovery for WooCommerce plugin, allowing attackers to inject malicious scripts.
You are affected if you are using Abandoned Cart Recovery for WooCommerce versions prior to 1.1.11. Upgrade immediately to mitigate the risk.
Upgrade the plugin to version 1.1.11 or later. If upgrading is not possible, temporarily disable the plugin.
There are currently no confirmed reports of active exploitation, but the vulnerability's nature suggests it could be targeted.
Refer to the VillaTheme website and WooCommerce plugin repository for the latest security advisories and updates regarding CVE-2026-32526.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.