CVE-2026-3574 is a stored cross-site scripting vulnerability in the Experto Dashboard for WooCommerce plugin for WordPress, affecting all versions up to and including 1.0.4. The vulnerability arises from the lack of input sanitization (no sanitize callback in register_setting()) and missing output escaping (no esc_attr() in the field_callback() output) on user-supplied values in plugin settings fields such as 'Navigation Font Size' and 'Heading Font Weight'. Authenticated users with Administrator-level access or higher can exploit this to inject malicious scripts into the settings page. This vulnerability specifically impacts multi-site WordPress installations and those with unfiltered_html capability disabled. The CVSS 3.1 base score is 4.4, reflecting medium severity with network attack vector, high attack complexity, and privileges required.

An attacker with Administrator-level privileges can inject and store malicious scripts in the plugin's settings fields, which execute when the settings page is viewed by users. This could lead to limited confidentiality and integrity impacts within the affected WordPress environment. The vulnerability does not affect availability and requires high privileges and specific WordPress configurations (multi-site or unfiltered_html disabled) to be exploitable.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, limit Administrator-level access to trusted users only and consider disabling or removing the Experto Dashboard for WooCommerce plugin if feasible. Monitor vendor channels for updates regarding a patch or official remediation.