WP-Safety
CVE-2026-6370

Mini Ajax Cart for WooCommerce <= 1.3.4 - Authenticated (Author+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
1.3.5
Patched in
7d
Time to patch

Description

The Mini Ajax Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.4
PublishedApril 15, 2026
Last updatedApril 21, 2026
Affected pluginmini-ajax-woo-cart

Source Code

WordPress.org SVN
Vulnerable v1.3.4
Browse source Download .zip
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-6370 ## 1. Vulnerability Summary The **Mini Ajax Cart for WooCommerce** plugin (versions <= 1.3.4) contains a Stored Cross-Site Scripting (XSS) vulnerability. The flaw exists because the plugin allows users with Author-level permissions or higher to save plugi…

Show full research plan

Exploitation Research Plan: CVE-2026-6370

1. Vulnerability Summary

The Mini Ajax Cart for WooCommerce plugin (versions <= 1.3.4) contains a Stored Cross-Site Scripting (XSS) vulnerability. The flaw exists because the plugin allows users with Author-level permissions or higher to save plugin settings (likely via an AJAX handler) without adequate sanitization of the input or escaping of the output. This allows an attacker to inject malicious JavaScript into settings such as "Cart Title," "Empty Cart Message," or "Button Text," which is then executed in the context of any user (including administrators) who visits the frontend of the site or the plugin's settings page.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Action: Likely wp_ajax_mac_save_settings or wp_ajax_save_mini_cart_options (inferred).
  • Vulnerable Parameter: A settings array or specific string parameter, e.g., cart_title, empty_cart_text, or checkout_button_text (inferred).
  • Authentication: Requires Author-level credentials (PR:L - Post author/Editor/Shop Manager).
  • Preconditions: The plugin must be active, and WooCommerce must be installed.

3. Code Flow (Inferred)

  1. Entry Point: An AJAX handler is registered using add_action('wp_ajax_...', ...).
  2. Authorization Check: The handler likely uses current_user_can('edit_posts') (Author level) instead of manage_options (Admin level).
  3. Data Processing: The handler retrieves user input from $_POST (e.g., $_POST['settings']).
  4. Sink (Storage): The input is saved to the database via update_option() or update_post_meta() without being sanitized by sanitize_text_field() or wp_kses().
  5. Sink (Output): On the frontend, a function hooked to wp_footer or wp_ajax_nopriv_get_cart_data retrieves the stored option and echoes it directly into the HTML without using esc_html() or esc_attr().

4. Nonce Acquisition Strategy

To exploit the AJAX endpoint, a valid security nonce is typically required. Since this is an authenticated vulnerability, we can extract the nonce from the WordPress admin dashboard.

  1. Identify Script Localization: The plugin likely localizes a script using wp_localize_script(). Look for variables like mac_admin_vars or mini_cart_params.
  2. Creation of Access Page: Even if an Author cannot see the full settings menu, the AJAX script and its localized nonce are often loaded on all admin pages or specifically on the post.php editor.
  3. Extraction:
    • Navigate to wp-admin/index.php or wp-admin/edit.php as the Author user.
    • Use browser_eval to find the nonce:
      // Example check for common patterns
window.mac_admin_vars?.nonce || window.mini_cart_params?.nonce
    • If not found, search the page source for "nonce" to identify the correct global variable.

5. Exploitation Strategy

  1. Authentication: Log in as a user with the Author role.
  2. Nonce Retrieval: Use browser_navigate to an admin page and browser_eval to extract the required AJAX nonce.
  3. Identify Target Parameter: Use grep on the plugin directory to find the AJAX action and the specific setting key:
    grep -rn "wp_ajax_" .
grep -rn "update_option" .
  4. Payload Delivery: Use http_request to send the malicious payload.
    • Method: POST
    • URL: http://[target]/wp-admin/admin-ajax.php
    • Body (URL-encoded):
      action=[INFERRED_ACTION]&
nonce=[EXTRACTED_NONCE]&
settings[cart_title]=<script>alert(document.domain)</script>
    • Note: Adjust the structure based on how the plugin expects the data (e.g., a flat list of parameters vs an array).
  5. Triggering: Navigate to the site's homepage or any product page where the "Mini Ajax Cart" widget appears.

6. Test Data Setup

  1. Install Requirements: Ensure woocommerce and mini-ajax-woo-cart (v1.3.4) are active.
  2. Create User:
    wp user create attacker attacker@example.com --role=author --user_pass=password
  3. Add Product: (Optional, but ensures the cart logic is active)
    wp post create --post_type=product --post_title="Test Product" --post_status=publish

7. Expected Results

  • The AJAX response should indicate success (e.g., {"success": true} or 1).
  • When visiting the frontend, a JavaScript alert box containing the document domain should appear.
  • The malicious script should be visible in the page source, unescaped within the cart's HTML structure.

8. Verification Steps

  1. Verify Storage via WP-CLI:
    # Check the option value directly in the database
wp option get [OPTION_NAME_FOUND_IN_CODE]
    Confirm that the value contains the raw <script> tag.
  2. Check Frontend Output:
    # Check for the unescaped script in the frontend HTML
curl -s http://localhost:8080/ | grep "<script>alert"

9. Alternative Approaches

  • Settings Page Bypass: If the Author role cannot access the settings page directly, try to access the AJAX handler directly (as most wp_ajax_ handlers only check capability, not menu access).
  • Different Parameters: If cart_title is sanitized, check other settings like empty_cart_message, checkout_button_text, or custom_css.
  • Shortcode Attributes: If the XSS is stored via post meta, use an Author account to create a post and include a shortcode with a malicious attribute if the plugin processes shortcode attributes unsafely.
    • wp post create --post_type=post --post_content='[mini_cart title="<script>alert(1)</script>"]' (inferred shortcode).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Mini Ajax Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings. Authenticated attackers with Author-level permissions or higher can exploit insufficient input sanitization and output escaping to inject malicious JavaScript into settings such as 'Cart Title', which then executes when any user views the frontend cart.

Vulnerable Code

/* Inferred AJAX handler in admin-side code */
// Typical registration in version <= 1.3.4
add_action('wp_ajax_mac_save_settings', 'mac_save_settings_callback');
function mac_save_settings_callback() {
    if ( ! current_user_can( 'edit_posts' ) ) { 
        wp_die();
    }
    // Vulnerable: Direct assignment from $_POST without sanitization
    $settings = $_POST['settings']; 
    update_option( 'mini_cart_options', $settings );
    wp_send_json_success();
}

---

/* Inferred frontend rendering logic */
// Typical output in version <= 1.3.4
public function render_cart_html() {
    $options = get_option( 'mini_cart_options' );
    $title = $options['cart_title'];
    // Vulnerable: Outputting user-controlled data without escaping
    echo '<div class="mac-cart-title">' . $title . '</div>';
}

Security Fix

--- a/admin/class-mini-cart-admin.php
+++ b/admin/class-mini-cart-admin.php
@@ -2,5 +2,5 @@
 function mac_save_settings_callback() {
-    if ( ! current_user_can( 'edit_posts' ) ) {
+    if ( ! current_user_can( 'manage_options' ) ) {
         wp_die();
     }
-    $settings = $_POST['settings'];
+    $settings = array_map( 'sanitize_text_field', $_POST['settings'] );
     update_option( 'mini_cart_options', $settings );
--- a/public/class-mini-cart-public.php
+++ b/public/class-mini-cart-public.php
@@ -4,2 +4,2 @@
     $title = $options['cart_title'];
-    echo '<div class="mac-cart-title">' . $title . '</div>';
+    echo '<div class="mac-cart-title">' . esc_html( $title ) . '</div>';

Exploit Outline

1. Authenticate as a user with at least Author-level privileges. 2. Navigate to the WordPress dashboard and extract the AJAX nonce from localized scripts, typically found in a global variable like 'mac_admin_vars'. 3. Construct a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the plugin's settings-saving handler (e.g., 'mac_save_settings'). 4. Include a malicious payload in the 'settings' array parameter, such as 'settings[cart_title]=<script>alert(document.domain)</script>'. 5. Submit the request to store the payload in the site's options table. 6. Visit the site's frontend as any user; the script will execute when the mini-cart widget renders the unsanitized 'cart_title' setting.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a10965ef-472f-4e8b-a061-58854ce46f05?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database