CVE-2026-32526
Published: 25 March 2026
Summary
CVE-2026-32526 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires the system to validate information inputs, directly preventing the injection and storage of malicious payloads due to improper neutralization in this stored XSS vulnerability.
SI-15 mandates filtering of outputs prior to web page generation, comprehensively mitigating the cross-site scripting execution when victims view affected pages.
SI-2 ensures timely flaw remediation, such as patching the vulnerable Abandoned Cart Recovery for WooCommerce plugin beyond version 1.1.10.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables T1190 (exploiting the vulnerable input handling over the network), T1189 (persistent malicious script delivery to site visitors), and T1059.007 (arbitrary JavaScript execution in victim browsers).
NVD Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Abandoned Cart Recovery for WooCommerce woo-abandoned-cart-recovery allows Stored XSS.This issue affects Abandoned Cart Recovery for WooCommerce: from n/a through <= 1.1.10.
Deeper analysisAI
CVE-2026-32526 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Stored Cross-site Scripting (XSS) as classified under CWE-79, in the VillaTheme Abandoned Cart Recovery for WooCommerce WordPress plugin (woo-abandoned-cart-recovery). This issue affects all versions from n/a through 1.1.10 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, and was published on 2026-03-25T17:17:05.717.
Unauthenticated attackers can exploit this over the network with low attack complexity and no privileges required by injecting malicious payloads into plugin-handled inputs, which are stored without proper neutralization. Victims viewing affected pages provide the required user interaction, triggering script execution in a changed scope and resulting in low impacts to confidentiality, integrity, and availability, such as potential session hijacking or data theft in the victim's browser context.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-abandoned-cart-recovery/vulnerability/wordpress-abandoned-cart-recovery-for-woocommerce-plugin-1-1-10-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in version 1.1.10, with mitigation centered on updating the Abandoned Cart Recovery for WooCommerce plugin to a patched version beyond 1.1.10.
Details
- CWE(s)