CVE-2026-24526 is a DOM-based Cross-site Scripting (XSS) vulnerability identified in the Steve Truman Email Inquiry & Cart Options plugin for WooCommerce, specifically affecting versions up to and including 3.4.3. This vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and executed within the victim's browser context. The attack vector requires network access and low privileges (PR:L), with user interaction (UI:R) necessary to trigger the exploit, such as clicking a crafted link or interacting with a manipulated page element. The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as attackers can execute arbitrary scripts that may steal session tokens, manipulate page content, or perform actions on behalf of the user. The vulnerability has a CVSS 3.1 base score of 6.5, categorized as medium severity, with a scope change (S:C) indicating that the exploit can affect resources beyond the vulnerable component. No known exploits are currently reported in the wild, but the widespread use of WooCommerce and this plugin in e-commerce environments increases the potential risk. The lack of available patches at the time of publication necessitates immediate attention to input validation and output encoding best practices to mitigate the risk.

For European organizations, especially those operating WooCommerce-based e-commerce platforms, this vulnerability poses a moderate risk. Successful exploitation could allow attackers to execute malicious scripts in users' browsers, potentially leading to theft of sensitive customer data such as session cookies, personal information, or payment details. This could result in reputational damage, regulatory penalties under GDPR for data breaches, and financial losses. The vulnerability's requirement for user interaction limits automated exploitation but does not eliminate risk, particularly in phishing or social engineering scenarios. Given the high adoption of WooCommerce in countries like Germany, the UK, France, and the Netherlands, organizations in these regions may face increased targeting. Additionally, compromised customer trust and potential downtime from incident response efforts could impact business continuity and revenue.

Organizations should immediately verify if they use the Steve Truman Email Inquiry & Cart Options plugin for WooCommerce and identify the version in use. If running version 3.4.3 or earlier, they should prioritize upgrading to a patched version once available. In the absence of an official patch, implement strict input validation and output encoding on all user-supplied data within the plugin's scope to neutralize potentially malicious scripts. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of XSS attacks. Regularly audit and monitor web application logs for suspicious activities indicative of XSS exploitation attempts. Educate users and staff about phishing risks to reduce the likelihood of successful user interaction-based attacks. Finally, maintain up-to-date backups and incident response plans to quickly recover from any compromise.