Smart Online Order for Clover <= 1.5.7 - Reflected Cross-Site Scripting
Description
The Smart Online Order for Clover plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.5.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Smart Online Order for Clover plugin (≤1.5.7) via unescaped URL parameters allows unauthenticated attackers to inject scripts.
Vulnerability
The Smart Online Order for Clover plugin for WordPress versions up to and including 1.5.7 is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability arises from the use of add_query_arg and remove_query_arg functions without proper escaping on the URL, allowing arbitrary script injection. The plugin is available on the WordPress plugin repository and requires a Clover POS and a subscription to the companion marketplace application [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL containing injected JavaScript. The attacker must trick a user into clicking the link, for example via phishing or social engineering. No authentication or special network position is required; the attack is reflected and executes in the context of the victim's browser session.
Impact
Successful exploitation allows the attacker to inject arbitrary web scripts into pages that the victim views. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the victim's browser and the privileges of the affected WordPress user.
Mitigation
The plugin developer released version 1.6.1, which presumably addresses the vulnerability. Users should update to version 1.6.1 or later immediately. As of the publication date (2024-10-16), no workaround is documented. The plugin is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=1.5.7
- elbanyaoui/Smart Online Order for Cloverv5Range: 0
Patches
1r3168446Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/clover-online-orders/tags/1.5.7/admin/includes/class-moo-products-list.phpmitre
- plugins.trac.wordpress.org/browser/clover-online-orders/tags/1.5.7/admin/moo-OnlineOrders-admin.phpmitre
- plugins.trac.wordpress.org/changeset/3168446/clover-online-orders/tags/1.5.8/admin/includes/class-moo-products-list.phpmitre
- plugins.trac.wordpress.org/changeset/3168446/clover-online-orders/tags/1.5.8/admin/moo-OnlineOrders-admin.phpmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/35d64d3e-b48e-4e35-ab1d-0557fcd62263mitre
News mentions
0No linked articles in our index yet.