[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqNjP8swhXFVfu1GdxtnMbiwzGuDGWqbwWoK-4HzDQc4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":34},"CVE-2026-6962","cost-of-goods-product-cost-profit-calculator-for-woocommerce-authenticated-contributor-stored-cross-site-scripting","Cost of Goods: Product Cost & Profit Calculator for WooCommerce \u003C= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit' shortcodes in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cost-of-goods-for-woocommerce",null,"\u003C=4.1.0","4.1.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-05-12 15:52:09","2026-05-13 04:26:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Faedde7a7-018d-45f9-8f67-f4ea01be894e?source=api-prod",1,[22,23,24,25,26],"cost-of-goods-for-woocommerce.php","includes\u002Fclass-alg-wc-cog-products.php","includes\u002Fclass-alg-wc-cog.php","langs\u002Fcost-of-goods-for-woocommerce.pot","readme.txt","researched",false,3,"# CVE-2026-6962: Research & Exploitation Plan\n\n## 1. Vulnerability Summary\nThe **Cost of Goods: Product Cost & Profit Calculator for WooCommerce** plugin (versions \u003C= 4.1.0) is vulnerable to **Stored Cross-Site Scripting (XSS)** via the `[alg_wc_cog_product_cost]` and `[alg_wc_cog_product_profit]` shortcodes. \n\nThe vulnerability exists in `includes\u002Fclass-alg-wc-cog-products.php`. While the plugin attempts to sanitize the `html_template` and `profit_template` attributes using `wp_kses_post()`, it performs a `html_entity_decode()` on the user-supplied attributes *before* sanitization and then performs a `str_replace()` to inject content *after* the template has been sanitized. This logic allows an authenticated user with Contributor+ permissions (who can create posts and use shortcodes) to inject arbitrary web scripts if the sanitization can be bypassed or if the substitution logic is flawed.\n\n## 2. Attack Vector Analysis\n- **Shortcodes:** `[alg_wc_cog_product_cost]` and `[alg_wc_cog_product_profit]`\n- **Vulnerable Attributes:** `html_template` and `profit_template`\n- **Authentication:** Contributor or higher.\n- **Preconditions:** The shortcodes must be enabled in the plugin settings (defaults to 'no' in some versions, but often","gemini-3-flash-preview","2026-05-14 17:54:10","2026-05-14 17:55:48",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","4.1.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcost-of-goods-for-woocommerce\u002Ftags\u002F4.1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcost-of-goods-for-woocommerce.4.1.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcost-of-goods-for-woocommerce\u002Ftags\u002F4.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcost-of-goods-for-woocommerce.4.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcost-of-goods-for-woocommerce\u002Ftags"]