CVE-2026-1826
Stored XSS in OpenPOS Lite WooCommerce Plugin Order QR Code
Publication date: 2026-02-11
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wpos_lite | to 3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The OpenPOS Lite β Point of Sale for WooCommerce plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability. This occurs via the 'width' parameter of the order_qrcode shortcode in all versions up to and including 3.0. The vulnerability exists because the plugin does not properly sanitize input or escape output for this parameter.
As a result, authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising user interactions.
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor-level access or above to inject malicious scripts into the website. These scripts can execute in the context of other users visiting the affected pages.
- Compromise of user accounts or sessions through theft of cookies or credentials.
- Execution of unauthorized actions on behalf of users without their consent.
- Potential defacement or manipulation of website content.
- Exposure of sensitive information accessible to the victim users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves Stored Cross-Site Scripting (XSS) via the 'width' parameter of the order_qrcode shortcode in the OpenPOS Lite plugin for WooCommerce. Detection would involve identifying if this shortcode is used with unsanitized input in your WordPress installation.
Since the vulnerability requires authenticated users with Contributor-level access or higher to inject malicious scripts, detection can include reviewing posts or pages that use the order_qrcode shortcode and checking for suspicious or unexpected script tags or HTML in the 'width' parameter.
Suggested commands or methods to detect this vulnerability include:
- Search the WordPress database for instances of the order_qrcode shortcode with suspicious 'width' parameter values, for example using SQL queries on the wp_posts table.
- Use WP-CLI to search posts/pages for the shortcode: wp search-replace --dry-run '\[order_qrcode.*width=.*\]' ''
- Monitor HTTP traffic or logs for unusual script execution or injection attempts related to pages containing the order_qrcode shortcode.
- Audit user roles and permissions to identify if any Contributor-level or higher users have recently edited content containing the shortcode.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the OpenPOS Lite plugin to the latest version beyond 3.0 where the vulnerability has been fixed.
- Restrict Contributor-level and higher user permissions to trusted users only, minimizing the risk of malicious script injection.
- Temporarily disable or remove the order_qrcode shortcode usage in posts or pages until the plugin is updated.
- Implement Web Application Firewall (WAF) rules to detect and block attempts to inject scripts via the 'width' parameter.
- Review and sanitize all inputs related to the order_qrcode shortcode if custom code or overrides are used.