EAN for WooCommerce < 4.4.3 - Contributor+ Stored XSS
Description
The EAN for WooCommerce plugin before 4.4.3 suffers from a stored XSS via unescaped shortcode attributes, allowing contributor-level users to inject scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The EAN for WooCommerce plugin before 4.4.3 suffers from a stored XSS via unescaped shortcode attributes, allowing contributor-level users to inject scripts.
Vulnerability
The EAN for WooCommerce plugin for WordPress, versions before 4.4.3, fails to validate and escape shortcode attributes before outputting them in a page or post where the shortcode is embedded. This allows users with the contributor role or above to perform stored cross-site scripting (XSS) attacks [1].
Exploitation
An attacker with at least contributor-level access can insert a shortcode with malicious attribute values. The plugin does not sanitize these attributes, so when the shortcode is rendered, the attacker's JavaScript payload is executed in the context of any user viewing the affected page or post [1].
Impact
Successful exploitation leads to stored XSS, allowing the attacker to execute arbitrary JavaScript in the browsers of other users. Depending on the context, this could result in session hijacking, defacement, or redirection to malicious sites [1].
Mitigation
The vulnerability is fixed in version 4.4.3 of the plugin. Users are advised to update to the latest version immediately. No workarounds are mentioned in the reference [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <4.4.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- wpscan.com/vulnerability/450f94a3-56b1-41c7-ac29-fbda1dc04794mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.