Medium severity4.4NVD Advisory· Published Jan 28, 2026· Updated Apr 15, 2026
CVE-2026-1381
CVE-2026-1381
Description
The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected products
1- Range: <=4.6.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/tags/4.6.8/includes/class-alg-wc-oma-core.phpnvd
- plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/trunk/includes/class-alg-wc-oma-core.phpnvd
- plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/trunk/includes/settings/class-alg-wc-oma-settings-general.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/3f54f117-0dde-49f9-8014-7650bc1a00acnvd
News mentions
0No linked articles in our index yet.