CVE-2024-14015
Description
The WordPress eCommerce Plugin WordPress plugin through 2.9.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Studiocart WordPress plugin through 2.9.0 allows high-privilege users to be targeted via unsanitized parameter output.
The Studiocart WordPress eCommerce plugin, versions up to and including 2.9.0, contains a reflected cross-site scripting (XSS) vulnerability. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling an attacker to inject arbitrary web scripts [1].
Exploitation requires the victim, such as an administrator, to click a crafted link. The attacker does not need authentication but must trick a high-privilege user to interact with the malicious URL. The injected script executes in the context of the victim's session, allowing the attacker to perform actions on their behalf [1].Successful exploitation could lead to privilege escalation, data theft, or complete site compromise if an admin is targeted. The attacker could create new admin accounts, modify site content, or exfiltrate sensitive information [1].As of the advisory publication, no fix is available. The vulnerability is publicly disclosed and affects all versions up to 2.9.0. Users are advised to apply any future patches or consider alternative plugins until a security update is released [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 2.9.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.