Cross-site Scripting Vulnerability in WooCommerce Plugin by Steve Truman
CVE-2026-24526

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Email Inquiry & Cart Options For WooCommerce
Vendor: CVE Published:; 23 January 2026

What is CVE-2026-24526?

A Cross-site Scripting (XSS) vulnerability exists in the Email Inquiry & Cart Options for WooCommerce plugin developed by Steve Truman. This issue arises from improper neutralization of user input during web page generation, which can lead to DOM-based XSS attacks. Attackers may exploit this flaw in versions prior to 3.4.3 of the plugin, potentially allowing unauthorized users to execute arbitrary scripts in the context of a user's browser session, compromising the security of user data and overall website integrity.

Affected Version(s)

Email Inquiry & Cart Options for WooCommerce 0 <= 3.4.3

References

https://patchstack.com/database/Wordpress/Plugin/woocomme...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 23, 2026
Vulnerability Reserved
Jan 23, 2026

Credit

theviper17 | Patchstack Bug Bounty Program

CVE-2026-24526 Data

JSON