CVE-2026-1381 is a stored cross-site scripting vulnerability identified in the Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress, affecting all versions up to and including 4.6.8. The root cause is improper neutralization of input during web page generation (CWE-79), where the plugin fails to adequately sanitize and escape user-supplied input in its settings interface. This flaw allows authenticated attackers with Shop Manager-level permissions or higher to inject arbitrary JavaScript code into plugin settings. Because these scripts are stored persistently, they execute whenever any user accesses the affected pages, leading to potential session hijacking, privilege escalation, or unauthorized actions. The vulnerability specifically impacts multisite WordPress installations or those where the unfiltered_html capability is disabled, limiting the scope but increasing risk in complex environments. The CVSS 3.1 base score of 4.4 indicates medium severity, with network attack vector, high attack complexity, and required privileges. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations relying on this plugin in multisite contexts.

The primary impact of CVE-2026-1381 is the potential execution of malicious scripts within the context of affected WordPress sites, leading to compromised user sessions, data theft, or unauthorized actions performed on behalf of users. Since the vulnerability requires Shop Manager-level privileges, attackers must already have some level of access, but can leverage this to escalate their control or affect other users, including administrators. The stored nature of the XSS means that any user visiting the injected page may be exposed, increasing the attack surface. For multisite WordPress installations, which are common in large organizations and hosting providers, the risk is amplified due to the broader user base and interconnected sites. This can result in reputational damage, data breaches, and potential regulatory consequences. The medium CVSS score reflects that while the vulnerability is not trivially exploitable by outsiders, the impact on confidentiality and integrity is notable.

Organizations should immediately verify if they are using the Order Minimum/Maximum Amount Limits for WooCommerce plugin in multisite WordPress environments or with unfiltered_html disabled. Since no official patch links are provided yet, administrators should consider the following mitigations: restrict Shop Manager and higher privileges to trusted users only, implement strict input validation and output escaping at the application or web server level if possible, and monitor plugin settings for suspicious changes. Employing Web Application Firewalls (WAFs) with custom rules to detect and block malicious script injections can reduce risk. Additionally, consider disabling or limiting the plugin usage until a vendor patch is released. Regularly audit user permissions and review multisite configurations to minimize exposure. Once a patch is available, prioritize prompt application and test thoroughly in staging environments before deployment.