CVE-2026-1381 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the 'Order Minimum/Maximum Amount Limits for WooCommerce' WordPress plugin by wpcodefactory. The vulnerability exists due to insufficient sanitization and escaping of input in the plugin's settings, which allows authenticated users with Shop Manager-level permissions or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed whenever any user accesses the affected page, potentially leading to session hijacking, privilege escalation, or defacement. The vulnerability specifically affects multisite WordPress installations or those where the unfiltered_html capability is disabled, limiting the attack surface to these configurations. The CVSS 3.1 base score is 4.4 (medium), reflecting the requirement for high privileges (Shop Manager or above), no user interaction, network attack vector, and limited impact on confidentiality and integrity but no impact on availability. No patches or exploits are currently publicly available, but the risk remains for organizations using this plugin in the specified environments. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially in plugins that extend e-commerce functionality.

For European organizations, this vulnerability poses a moderate risk primarily to those operating WordPress multisite installations with WooCommerce and the affected plugin. Attackers with Shop Manager or higher privileges could inject malicious scripts that execute in the context of other users, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions within the e-commerce platform. While the impact on availability is negligible, the confidentiality and integrity of user data and transactions could be compromised. This is particularly concerning for organizations handling sensitive customer data or financial transactions. The requirement for elevated privileges reduces the likelihood of exploitation by external attackers but does not eliminate insider threats or compromised accounts. Given the widespread use of WooCommerce in Europe, especially among small and medium enterprises, the vulnerability could affect a significant number of e-commerce sites if not addressed promptly.

European organizations should immediately audit their WordPress installations to identify multisite environments using the 'Order Minimum/Maximum Amount Limits for WooCommerce' plugin up to version 4.6.8. Since no official patch is currently available, administrators should consider the following mitigations: restrict Shop Manager and higher permissions strictly to trusted users; enable and enforce strict input validation and output escaping in custom plugin settings if customization is possible; monitor and log changes to plugin settings for suspicious activity; consider disabling or removing the plugin if it is not essential; implement Web Application Firewall (WAF) rules to detect and block malicious script injections targeting this plugin; and ensure that the unfiltered_html capability remains disabled for non-administrative users to reduce attack surface. Additionally, maintain regular backups and monitor for unusual behavior indicative of XSS exploitation. Once a patch is released, prioritize immediate update of the plugin.