CVE-2026-1381 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Order Minimum/Maximum Amount Limits for WooCommerce plugin developed by wpcodefactory. This vulnerability exists in all versions up to and including 4.6.8 due to insufficient input sanitization and output escaping in the plugin's settings interface. Authenticated users with Shop Manager-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into plugin configuration fields. These scripts are then stored and executed whenever any user accesses the affected pages, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress multi-site environment. The vulnerability is limited to multi-site WordPress installations or those where the unfiltered_html capability is disabled, which restricts the ability to insert raw HTML. The CVSS 3.1 score of 4.4 reflects a medium severity rating, with network attack vector, high attack complexity, and required privileges. No user interaction is needed for the malicious script to execute once injected, and the vulnerability impacts confidentiality and integrity but not availability. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WooCommerce and the plugin in e-commerce contexts.

For European organizations, this vulnerability could lead to unauthorized script execution within their WordPress multi-site e-commerce platforms, potentially compromising customer data, session tokens, and administrative controls. Attackers with Shop Manager permissions could leverage this to escalate privileges or manipulate order processing, undermining business operations and customer trust. Given the prevalence of WooCommerce in European e-commerce, especially in countries with mature online retail sectors, the impact could extend to data breaches under GDPR regulations, resulting in legal and financial penalties. The vulnerability does not directly affect availability but threatens confidentiality and integrity, which are critical for maintaining secure online transactions and customer privacy. Multi-site installations, common in larger organizations or agencies managing multiple client sites, are particularly at risk. The absence of known exploits reduces immediate risk but does not eliminate the potential for targeted attacks.

European organizations should immediately audit their WordPress environments to identify installations of the vulnerable plugin, especially multi-site setups. Restrict Shop Manager permissions strictly, ensuring only trusted personnel have such access. Implement additional input validation and output escaping controls at the application level if possible. Consider disabling or limiting the use of the vulnerable plugin until a patched version is available. Monitor logs and user activity for unusual behavior indicative of attempted XSS exploitation. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious script injections targeting plugin settings. Educate administrators on the risks of granting elevated permissions and the importance of secure configuration management. Regularly update WordPress core, plugins, and themes to incorporate security patches promptly. Finally, prepare incident response plans tailored to web application attacks involving XSS to minimize damage if exploitation occurs.