{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4479", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-19T21:10:40.397Z", "datePublished": "2026-04-14T03:37:33.525Z", "dateUpdated": "2026-04-14T14:04:52.634Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T03:37:33.525Z"}, "affected": [{"vendor": "wpcodefactory", "product": "WholeSale Products Dynamic Pricing Management WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "WholeSale Products Dynamic Pricing Management WooCommerce <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b0382e2-e029-4e19-981c-6dc570e182f0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wholesale-products-dynamic-pricing-management-woocommerce/trunk/class-main.php#L114"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2026-02-02T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-03-25T21:51:51.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-13T15:13:22.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4479", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:02:19.689072Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:04:52.634Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4479", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:02:19.689072Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:04:07.990Z"}}], "cna": {"title": "WholeSale Products Dynamic Pricing Management WooCommerce <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpcodefactory", "product": "WholeSale Products Dynamic Pricing Management WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-02T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-03-25T21:51:51.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-13T15:13:22.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b0382e2-e029-4e19-981c-6dc570e182f0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wholesale-products-dynamic-pricing-management-woocommerce/trunk/class-main.php#L114"}], "descriptions": [{"lang": "en", "value": "The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T03:37:33.525Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4479", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:04:52.634Z", "dateReserved": "2026-03-19T21:10:40.397Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-14T03:37:33.525Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2026-4479", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-14T04:17:18.717", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wholesale-products-dynamic-pricing-management-woocommerce/trunk/class-main.php#L114"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b0382e2-e029-4e19-981c-6dc570e182f0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WholeSale Products Dynamic Pricing Management WooCommerce", "source": "cna", "vendor": "wpcodefactory"}, "product": "wholesale_products_dynamic_pricing_management_woocommerce", "vendor": "wpcodefactory"}], "analysis": {"en": {"generated_at": "2026-04-14T05:21:03.017970+00:00", "value": {"mitigation_remediation": ["Update WholeSale Products Dynamic Pricing Management WooCommerce to the latest version (v1.3 or later).", "Verify that the unfiltered_html capability is disabled for non\u2011admin users or in multisite installations.", "Review and remove any custom scripts that have been inserted via the plugin\u2019s settings.", "Restrict administrator accounts to prevent accidental insertion of malicious content until a patch is released."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting (stored) allowing arbitrary script execution on affected pages"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress up to and including version 1.2. It only applies in multi\u2011site environments or where the unfiltered_html capability has been disabled, meaning the flaw is relevant to most typical WordPress deployments that use this plugin on multisite setups.", "description_and_impact": "The WholeSale Products Dynamic Pricing Management WooCommerce plugin contains a stored cross\u2011site scripting flaw due to insufficient input sanitization and output escaping in the admin settings. Authenticated users with administrator\u2011level permissions can inject arbitrary JavaScript or other executable content into these settings. When a page reads the affected settings, the injected script executes in the browser of any visitor, potentially allowing cookie theft, session hijacking, or further exploitation of the site. The weakness maps to CWE\u201179.", "risk_and_exploitability": "The CVSS base score of 4.4 puts the issue in the medium severity range. No EPSS score has been published and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting that it has not yet been widely exploited. Nevertheless, the requirement of administrator access in a multi\u2011site WordPress installation makes the attack surface significant for sites with a single compromised admin account. An attacker with such privileges can inject persistent scripts via the plugin settings page, which are delivered to every visitor of affected pages."}}}}, "created": "2026-04-14T16:15:54.774793+00:00", "updated": "2026-04-14T16:30:51.320746+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpcodefactory", "wpcodefactory$PRODUCT$wholesale_products_dynamic_pricing_management_woocommerce"]}