– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-3574 (metadata-based): This vulnerability affects the Experto Dashboard for WooCommerce plugin for WordPress, versions 1.0.4 and earlier. It is a Stored Cross-Site Scripting (XSS) vulnerability in the plugin’s settings fields, specifically ‘Navigation Font Size’, ‘Navigation Font Weight’, ‘Heading Font Size’, ‘Heading Font Weight’, ‘Text Font Size’, and ‘Text Font Weight’. The CVSS score is 4.4 (MEDIUM), with a vector indicating high attack complexity, high privileges required, but a changed scope and low impact on confidentiality and integrity.

Root Cause: The vulnerability stems from insufficient input sanitization and missing output escaping. The plugin uses register_setting() without a sanitize callback, meaning user-supplied values are not sanitized before storage. Additionally, the field_callback() function outputs these values using printf without esc_attr() escaping. This allows an attacker to inject arbitrary HTML and JavaScript. Because no code diff is available, these conclusions are inferred from the CWE classification (CWE-79) and the vulnerability description.

Exploitation: An attacker with Administrator-level access navigates to the WordPress admin settings page for the plugin (typically /wp-admin/admin.php?page=experto-dashboard-settings or similar). The attacker submits the settings form, injecting a JavaScript payload into one of the vulnerable fields (e.g., Navigation Font Size). The payload is stored in the WordPress options table. The malicious script executes when any user, including other administrators, views the settings page. Since the vulnerability only affects multi-site installations or sites where unfiltered_html is disabled, standard WordPress super admin restrictions are bypassed. The attack vector is the plugin’s settings form submission, likely via POST request to /wp-admin/options.php with the plugin’s option group.

Remediation: The fix (version 1.0.5) likely adds a sanitize callback to register_setting() for each vulnerable option, using WordPress functions like sanitize_text_field() or wp_kses() to strip unwanted HTML. It also adds output escaping in the field_callback() function, wrapping the echoed value in esc_attr() to neutralize any remaining malicious characters.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the WordPress admin dashboard. This can lead to session hijacking, forced actions on behalf of other administrators (e.g., creating new admin users, modifying site content), or defacement of the admin interface. The scope change in the CVSS vector indicates the attack can affect resources beyond the vulnerable component, such as other admin pages or user interactions.