WordPress Smart Online Order for Clover Plugin <= 1.5.4 is vulnerable to Cross Site Scripting (XSS)
Description
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Zaytech Smart Online Order for Clover plugin <= 1.5.4 versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Smart Online Order for Clover plugin for WordPress allows unauthenticated attackers to inject arbitrary web scripts via reflected parameters.
Vulnerability
The Smart Online Order for Clover plugin (clover-online-orders) for WordPress versions up to and including 1.5.4 is vulnerable to unauthenticated reflected cross-site scripting (XSS). The vulnerability occurs due to insufficient input sanitization and output escaping of user-supplied parameters, allowing injection of arbitrary JavaScript. [1]
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing a payload in a vulnerable parameter. No authentication is required; the victim must click the crafted link. The reflected XSS executes in the context of the victim's browser session on the affected WordPress site.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack is limited to the scope of the WordPress site and the victim's session.
Mitigation
The vendor has released version 1.6.1 of the plugin (as of April 2026) which likely addresses the vulnerability. Users are strongly advised to update to the latest version. No workarounds are documented. [1]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.5.4
- Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.