CVE-2026-4080
Deferred Deferred - Pending Action
Stored XSS in Easy Cart WordPress Plugin

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: Wordfence

Description
The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_to_cart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the ectp_add_to_cart() function uses sanitize_text_field() on shortcode attributes like 'itemid', 'product_name', 'product_desc', 'product_qty', and 'price' before inserting them into double-quoted HTML attributes. While sanitize_text_field() strips HTML tags, it does not escape double quote characters, allowing an attacker to break out of the HTML attribute context and inject arbitrary event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-4080
EUVD
EUVD-2026-33892
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
easy_cart easy_cart to 1.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should update the Easy Cart plugin for WordPress to a version later than 1.8 where the issue is fixed.

Additionally, restrict Contributor-level and higher user access to trusted users only, as the vulnerability requires authenticated users with at least Contributor privileges to exploit.

Consider implementing additional input sanitization and output escaping on shortcode attributes if you cannot immediately update the plugin.

Executive Summary

The Easy Cart plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its 'add_to_cart' shortcode in all versions up to and including 1.8. This happens because the plugin does not properly sanitize and escape user-supplied shortcode attributes. Although it uses sanitize_text_field() to remove HTML tags, this function does not escape double quote characters. As a result, an attacker can break out of the HTML attribute context and inject malicious scripts.

Specifically, the vulnerability exists in the ectp_add_to_cart() function, which processes attributes like 'itemid', 'product_name', 'product_desc', 'product_qty', and 'price'. Authenticated users with Contributor-level access or higher can exploit this to inject arbitrary web scripts that execute whenever a user views the affected page.

Impact Analysis

This vulnerability allows authenticated attackers with Contributor-level access or above to inject malicious scripts into pages via the 'add_to_cart' shortcode. These scripts execute in the browsers of users who visit the infected pages.

  • It can lead to theft of user credentials or session tokens.
  • It can enable unauthorized actions on behalf of users.
  • It can result in defacement or manipulation of website content.
  • It may damage user trust and the reputation of the website.
Compliance Impact

The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via stored cross-site scripting (XSS). This can lead to unauthorized access to user data or session hijacking, potentially compromising confidentiality and integrity of personal information.

Such security weaknesses can impact compliance with standards like GDPR and HIPAA, which require protection of personal data and prevention of unauthorized access or disclosure. Failure to mitigate this vulnerability could result in violations of these regulations due to exposure of sensitive user information through malicious scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4080. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart