CVE-2026-24526 in Email Inquiry Plugin
Summary
by MITRE • 01/23/2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry & Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS.This issue affects Email Inquiry & Cart Options for WooCommerce: from n/a through <= 3.4.3.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/25/2026
This vulnerability represents a critical cross-site scripting weakness that specifically targets the DOM-based execution environment within the WooCommerce email inquiry and cart options plugin. The flaw exists in the improper handling of user input during web page generation processes, creating an avenue for malicious actors to inject client-side scripts that execute in the context of other users' browsers. The vulnerability is classified as a DOM-based XSS attack because the malicious script is executed within the document object model rather than being reflected in HTTP responses, making it particularly insidious as it can persist through user interactions and page reloads.
The technical implementation of this vulnerability stems from insufficient sanitization and validation of input parameters that are processed by the plugin's JavaScript components. When users submit email inquiries or interact with cart options, the plugin fails to properly neutralize potentially malicious input before incorporating it into dynamic web page content. This allows attackers to craft payloads that exploit the plugin's DOM manipulation functions, enabling unauthorized script execution in the victim's browser context. The vulnerability affects versions of the plugin from the initial release through and including version 3.4.3, indicating a long-standing issue that has not been adequately addressed in the codebase.
The operational impact of this vulnerability extends beyond simple script injection, as it can potentially enable attackers to perform a wide range of malicious activities including session hijacking, credential theft, and data exfiltration from authenticated users. An attacker could craft a malicious email inquiry that, when viewed by an administrator or other privileged user, would execute scripts to steal session cookies or redirect users to phishing sites. The DOM-based nature of the attack means that the malicious code can persist across different pages and user sessions, making it particularly dangerous in environments where administrators frequently interact with email inquiry data. This vulnerability directly maps to CWE-79 which specifically addresses cross-site scripting flaws, and aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments and links.
The remediation approach requires immediate implementation of comprehensive input validation and output encoding mechanisms within the plugin's JavaScript processing functions. Developers should implement proper sanitization of all user-supplied data before it is incorporated into DOM operations, utilizing established libraries and frameworks designed for XSS prevention. The fix should include implementing Content Security Policy headers to limit script execution contexts and ensuring that all dynamic content generation properly escapes special characters. Additionally, the plugin should undergo thorough code review to identify and address any other DOM-based operations that might be vulnerable to similar attacks. Regular security testing and automated vulnerability scanning should be implemented to prevent future regressions, while maintaining updated documentation of input validation procedures to ensure consistent application across all plugin components.