Cyber Resilience

CVE-2026-32526

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0004 14.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32526 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-32526 is an Improper Neutralization of Input During Web Page Generation vulnerability, enabling Stored Cross-site Scripting (XSS) as classified under CWE-79, in the VillaTheme Abandoned Cart Recovery for WooCommerce WordPress plugin (woo-abandoned-cart-recovery). This issue affects all versions from n/a through 1.1.10 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, and was published on 2026-03-25T17:17:05.717.

Unauthenticated attackers can exploit this over the network with low attack complexity and no privileges required by injecting malicious payloads into plugin-handled inputs, which are stored without proper neutralization. Victims viewing affected pages provide the required user interaction, triggering script execution in a changed scope and resulting in low impacts to confidentiality, integrity, and availability, such as potential session hijacking or data theft in the victim's browser context.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-abandoned-cart-recovery/vulnerability/wordpress-abandoned-cart-recovery-for-woocommerce-plugin-1-1-10-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in version 1.1.10, with mitigation centered on updating the Abandoned Cart Recovery for WooCommerce plugin to a patched version beyond 1.1.10.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Abandoned Cart Recovery for WooCommerce woo-abandoned-cart-recovery allows Stored XSS.This issue affects Abandoned Cart Recovery for WooCommerce: from n/a through <= 1.1.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public-facing WordPress plugin directly enables T1190 (exploiting the vulnerable input handling over the network), T1189 (persistent malicious script delivery to site visitors), and T1059.007 (arbitrary JavaScript execution in victim browsers).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42224Shared CWE-79
CVE-2025-69003Shared CWE-79
CVE-2024-56069Shared CWE-79
CVE-2025-69367Shared CWE-79
CVE-2026-33331Shared CWE-79
CVE-2024-30547Shared CWE-79
CVE-2025-25165Shared CWE-79
CVE-2026-3220Shared CWE-79
CVE-2026-22029Shared CWE-79
CVE-2026-7332Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires the system to validate information inputs, directly preventing the injection and storage of malicious payloads due to improper neutralization in this stored XSS vulnerability.

prevent

SI-15 mandates filtering of outputs prior to web page generation, comprehensively mitigating the cross-site scripting execution when victims view affected pages.

prevent

SI-2 ensures timely flaw remediation, such as patching the vulnerable Abandoned Cart Recovery for WooCommerce plugin beyond version 1.1.10.

References