Smart Online Order for Clover <= 1.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via moo_receipt_link Shortcode
Description
The Smart Online Order for Clover plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's moo_receipt_link shortcode in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in the Smart Online Order for Clover plugin for WordPress allows contributor-level users to inject arbitrary scripts via the moo_receipt_link shortcode.
Vulnerability
The Smart Online Order for Clover plugin for WordPress (slug clover-online-orders) is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.5.7 [1]. The flaw resides in the plugin's moo_receipt_link shortcode, where user-supplied attributes are not sufficiently sanitized or escaped before being output. This allows authenticated attackers with at least contributor-level access to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.
Exploitation
An attacker must have contributor-level access or higher to the WordPress site [1]. The attacker can add a new post or page (or modify an existing one) and insert the vulnerable moo_receipt_link shortcode with malicious JavaScript payloads in one of its attributes. The injected script will be stored on the server and executed in the browser of any user who visits the affected page.
Impact
Successful exploitation leads to Stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the victim's browser. This could be used to steal session cookies, perform actions on behalf of the victim, deface the site, or redirect users to malicious sites. The impact is limited to the privileges of the affected user; however, if an administrator visits the page, full site compromise is possible.
Mitigation
The vulnerability has been fixed in version 1.5.8, which was released on 2024-10-15 [1]. Users are strongly advised to update immediately. No workaround is available for earlier versions; updating the plugin is the only reliable mitigation. The plugin is tested up to WordPress 6.9.4 [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=1.5.7
- elbanyaoui/Smart Online Order for Cloverv5Range: 0
Patches
1r3168433Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/clover-online-orders/trunk/includes/shortcodes/checkoutPage.phpmitre
- plugins.trac.wordpress.org/browser/clover-online-orders/trunk/moo_OnlineOrders.phpmitre
- plugins.trac.wordpress.org/browser/clover-online-orders/trunk/moo_OnlineOrders.phpmitre
- plugins.trac.wordpress.org/changeset/3168433/mitre
- wordpress.org/plugins/clover-online-orders/mitre
- www.wordfence.com/threat-intel/vulnerabilities/id/e7263e89-94b2-42e6-a7ed-a86579ce649emitre
News mentions
0No linked articles in our index yet.