{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1826", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-03T14:23:09.751Z", "datePublished": "2026-02-11T08:26:27.919Z", "dateUpdated": "2026-04-08T17:29:27.754Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:27.754Z"}, "affected": [{"vendor": "openpos", "product": "OpenPOS Lite \u2013 Point of Sale for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The OpenPOS Lite \u2013 Point of Sale for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter of the order_qrcode shortcode in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3bb88e9-e410-4ff7-b342-72c7b375dff1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpos-lite-version/trunk/includes/admin/Admin.php#L3161"}, {"url": "https://plugins.trac.wordpress.org/browser/wpos-lite-version/tags/3.0/includes/admin/Admin.php#L3161"}, {"url": "https://plugins.trac.wordpress.org/changeset/3456299/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-02-10T20:07:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:37:02.304120Z", "id": "CVE-2026-1826", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:44:27.667Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1826", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T15:37:02.304120Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:37:03.263Z"}}], "cna": {"title": "OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "openpos", "product": "OpenPOS Lite \u2013 Point of Sale for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-10T20:07:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3bb88e9-e410-4ff7-b342-72c7b375dff1?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpos-lite-version/trunk/includes/admin/Admin.php#L3161"}, {"url": "https://plugins.trac.wordpress.org/browser/wpos-lite-version/tags/3.0/includes/admin/Admin.php#L3161"}, {"url": "https://plugins.trac.wordpress.org/changeset/3456299/"}], "descriptions": [{"lang": "en", "value": "The OpenPOS Lite \u2013 Point of Sale for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter of the order_qrcode shortcode in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:27.754Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1826", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:27.754Z", "dateReserved": "2026-02-03T14:23:09.751Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-11T08:26:27.919Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OpenPOS Lite \u2013 Point of Sale for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter of the order_qrcode shortcode in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El plugin OpenPOS Lite \u2013 Point of Sale for WooCommerce para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'width' del shortcode order_qrcode en todas las versiones hasta la 3.0, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador o superior, inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada."}], "id": "CVE-2026-1826", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-11T09:15:52.383", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpos-lite-version/tags/3.0/includes/admin/Admin.php#L3161"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpos-lite-version/trunk/includes/admin/Admin.php#L3161"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3456299/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3bb88e9-e410-4ff7-b342-72c7b375dff1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.0]"}}], "product": "openpos_lite_\u2013_point_of_sale_for_woocommerce", "vendor": "openpos"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T17:18:19.630650+00:00", "value": {"mitigation_remediation": ["Upgrade OpenPOS Lite to the latest release (>=3.1) where the 'width' attribute is properly sanitized.", "If upgrading immediately is not feasible, remove or disable the order_qrcode shortcode on public\u2011facing pages to eliminate the stored script vector.", "Temporarily revoke Contributor\u2010level permissions from users who are not required to add order_qrcode shortcodes, or reallocate the role with limited capabilities."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Affected installations include any WordPress site running the OpenPOS Lite plugin up to and including version 3.0. The vulnerability exists in all releases prior to 3.1 and is present wherever the order_qrcode shortcode is used in public or administrative pages.", "description_and_impact": "The OpenPOS Lite \u2013 Point of Sale for WooCommerce plugin is vulnerable to a stored cross\u2011site scripting flaw triggered by the 'width' parameter of the order_qrcode shortcode. Authenticated users with Contributor-level privileges can inject arbitrary JavaScript. When a page containing the compromised shortcode is viewed, the injected script runs in the context of that page, giving the attacker the ability to steal session cookies, modify page content, or deface the site.", "risk_and_exploitability": "The flaw carries a CVSS score of 6.4 (Moderate) and an EPSS probability of less than 1\u202f%, indicating a low overall exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Because it requires only Contributor+ access, a wide range of site contributors could create the malicious payload. Once the shortcode is stored, the script executes for any visitor who loads the affected page, making the attack a persistent threat until remediation."}}}}, "created": "2026-02-11T21:45:58.847325+00:00", "updated": "2026-04-15T17:30:10.485285+00:00", "vendors": ["openpos", "openpos$PRODUCT$openpos_lite_\u2013_point_of_sale_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}