CVE-2026-57313
Deferred Deferred - Pending Action

Subscriber XSS in SureCart Plugin <= 4.2.2

Vulnerability report for CVE-2026-57313, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: Patchstack

Description

Subscriber Cross Site Scripting (XSS) in SureCart <= 4.2.2 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack surecart to 4.2.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability is a Cross Site Scripting (XSS) issue found in the WordPress SureCart Plugin versions 4.2.2 and below. It allows attackers to inject malicious scripts into the website by exploiting actions performed by privileged users, such as clicking a malicious link or submitting a form.

This vulnerability is classified as medium priority with a CVSS score of 6.5 and falls under the OWASP Top 10 category A3: Injection.

The issue was reported on April 30, 2026, and patched in version 4.2.3 of the plugin.

Detection Guidance

This vulnerability is a Cross Site Scripting (XSS) issue in the SureCart WordPress plugin versions 4.2.2 and below. Detection typically involves identifying attempts to inject malicious scripts via user inputs or URLs that interact with the plugin.

While no specific commands are provided in the available resources, general detection methods include monitoring web server logs for suspicious input patterns or payloads that resemble XSS attacks, such as script tags or encoded JavaScript.

Additionally, using web application security scanners that test for XSS vulnerabilities on the affected plugin endpoints can help detect exploitation attempts.

Impact Analysis

If exploited, this vulnerability can allow attackers to inject malicious scripts such as redirects or advertisements into your website.

This can lead to unauthorized actions on your site, potentially harming your users by redirecting them to malicious sites or displaying unwanted content.

Exploitation requires a privileged user to interact with malicious content, which means the attacker needs some level of access or user interaction to succeed.

Compliance Impact

The provided information does not specify how the Subscriber Cross Site Scripting (XSS) vulnerability in SureCart versions 4.2.2 and below affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The immediate recommended step is to update the SureCart plugin to version 4.2.3 or later, where the vulnerability has been patched.

Until the update can be applied, Patchstack has issued a mitigation rule to block attacks targeting this vulnerability, which should be implemented to reduce risk.

Also, restrict privileged user actions that could trigger the vulnerability, such as clicking untrusted links or submitting untrusted forms, to minimize exploitation chances.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57313. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart