CVE-2026-57313
Deferred Deferred - Pending Action
Subscriber XSS in SureCart Plugin <= 4.2.2

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description
Subscriber Cross Site Scripting (XSS) in SureCart <= 4.2.2 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-57313
EUVD
EUVD-2026-39726
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack surecart to 4.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability is a Cross Site Scripting (XSS) issue found in the WordPress SureCart Plugin versions 4.2.2 and below. It allows attackers to inject malicious scripts into the website by exploiting actions performed by privileged users, such as clicking a malicious link or submitting a form.

This vulnerability is classified as medium priority with a CVSS score of 6.5 and falls under the OWASP Top 10 category A3: Injection.

The issue was reported on April 30, 2026, and patched in version 4.2.3 of the plugin.

Impact Analysis

If exploited, this vulnerability can allow attackers to inject malicious scripts such as redirects or advertisements into your website.

This can lead to unauthorized actions on your site, potentially harming your users by redirecting them to malicious sites or displaying unwanted content.

Exploitation requires a privileged user to interact with malicious content, which means the attacker needs some level of access or user interaction to succeed.

Detection Guidance

This vulnerability is a Cross Site Scripting (XSS) issue in the SureCart WordPress plugin versions 4.2.2 and below. Detection typically involves identifying attempts to inject malicious scripts via user inputs or URLs that interact with the plugin.

While no specific commands are provided in the available resources, general detection methods include monitoring web server logs for suspicious input patterns or payloads that resemble XSS attacks, such as script tags or encoded JavaScript.

Additionally, using web application security scanners that test for XSS vulnerabilities on the affected plugin endpoints can help detect exploitation attempts.

Mitigation Strategies

The immediate recommended step is to update the SureCart plugin to version 4.2.3 or later, where the vulnerability has been patched.

Until the update can be applied, Patchstack has issued a mitigation rule to block attacks targeting this vulnerability, which should be implemented to reduce risk.

Also, restrict privileged user actions that could trigger the vulnerability, such as clicking untrusted links or submitting untrusted forms, to minimize exploitation chances.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57313. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart