CVE-2026-39437

Vulnerability

An unauthenticated reflected Cross-Site Scripting (XSS) vulnerability exists in the Min Max Step Quantity Limits Manager for WooCommerce plugin for WordPress, versions 5.2.2 and earlier [1]. The flaw occurs in an unspecified parameter or endpoint that reflects user-supplied input without proper sanitization or encoding, allowing arbitrary HTML and JavaScript to be injected into response pages [1].

Exploitation

An attacker can craft a malicious URL containing a payload and trick a privileged user (such as an administrator) into clicking it [1]. No authentication is required to generate the malicious link. The victim must perform an action like clicking the link, visiting a crafted page, or submitting a form for the attack to execute [1]. This is a reflected XSS, so the payload is delivered via the crafted request and does not persist in the database [1].

Impact

Successful exploitation allows the attacker to inject arbitrary scripts into the affected WordPress site [1]. This can be used to perform actions such as redirecting visitors to malicious sites, displaying advertisements, stealing session cookies, or defacing the site [1]. The attack executes in the context of the victim's browser session, potentially compromising the site's integrity and confidentiality [1].

Mitigation

The vulnerability has been fixed in version 5.2.3 of the plugin [1]. Users should update to version 5.2.3 or later immediately [1]. If unable to update, applying a virtual patch or security rule from Patchstack can block attacks until the update is applied [1]. There is no workaround provided beyond updating or using a Web Application Firewall (WAF) rule [1].