CVE-2026-4080
Received Received - Intake
Stored XSS in Easy Cart WordPress Plugin

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: Wordfence

Description
The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_to_cart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the ectp_add_to_cart() function uses sanitize_text_field() on shortcode attributes like 'itemid', 'product_name', 'product_desc', 'product_qty', and 'price' before inserting them into double-quoted HTML attributes. While sanitize_text_field() strips HTML tags, it does not escape double quote characters, allowing an attacker to break out of the HTML attribute context and inject arbitrary event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-02
AI Q&A
2026-06-02
EPSS Evaluated
N/A
NVD
CVE-2026-4080
EUVD
EUVD-2026-33892
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
easy_cart easy_cart to 1.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via stored cross-site scripting (XSS). This can lead to unauthorized access to user data or session hijacking, potentially compromising confidentiality and integrity of personal information.

Such security weaknesses can impact compliance with standards like GDPR and HIPAA, which require protection of personal data and prevention of unauthorized access or disclosure. Failure to mitigate this vulnerability could result in violations of these regulations due to exposure of sensitive user information through malicious scripts.


Can you explain this vulnerability to me?

The Easy Cart plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its 'add_to_cart' shortcode in all versions up to and including 1.8. This happens because the plugin does not properly sanitize and escape user-supplied shortcode attributes. Although it uses sanitize_text_field() to remove HTML tags, this function does not escape double quote characters. As a result, an attacker can break out of the HTML attribute context and inject malicious scripts.

Specifically, the vulnerability exists in the ectp_add_to_cart() function, which processes attributes like 'itemid', 'product_name', 'product_desc', 'product_qty', and 'price'. Authenticated users with Contributor-level access or higher can exploit this to inject arbitrary web scripts that execute whenever a user views the affected page.


How can this vulnerability impact me? :

This vulnerability allows authenticated attackers with Contributor-level access or above to inject malicious scripts into pages via the 'add_to_cart' shortcode. These scripts execute in the browsers of users who visit the infected pages.

  • It can lead to theft of user credentials or session tokens.
  • It can enable unauthorized actions on behalf of users.
  • It can result in defacement or manipulation of website content.
  • It may damage user trust and the reputation of the website.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart