Security Alert Summary
The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin contains a stored cross-site scripting (XSS) vulnerability in its alg_wc_cog_product_cost and alg_wc_cog_product_profit shortcodes. Authenticated users with contributor-level access or higher can inject scripts via shortcode attributes that will execute when a page with the injected content is viewed.
CVE Details
- CVE ID: CVE-2026-6962
- Affected plugin or component: The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress
- Affected versions: All versions up to and including 4.1.0
- Published: May 13, 2026 at 5:16:24 AM
- Last modified: May 13, 2026 at 2:43:46 PM
- CVSS v3.1: Base score 6.4 (MEDIUM) – Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- Authentication / Privileges / User interaction: Authentication required: yes (authenticated users). Privileges required: Low (contributor-level access). User interaction: None.
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- CWE: CWE-79 (Cross-site Scripting)
Technical Details
The vulnerability is a stored cross-site scripting issue arising from insufficient input sanitization and output escaping of user-supplied shortcode attributes. The plugin shortcodes alg_wc_cog_product_cost and alg_wc_cog_product_profit accept attributes that can be saved and later rendered in pages without proper escaping.
Because attribute values can be persisted and displayed, an authenticated user with contributor-level access or higher can inject arbitrary web scripts that execute in the browsers of users who view the affected page. The CVE description identifies the root cause as missing or insufficient sanitization and escaping of shortcode attribute data in versions up to and including 4.1.0.
How This Could Impact Your Website
On a typical WordPress site, the site owner manages content while internal staff and external contributors add or edit product pages. A malicious or compromised contributor account could insert a crafted shortcode attribute that stores a script in a product description or page. When an editor, administrator, or other user views that page, the script may execute in their browser.
- Exposure of internal user email addresses or other information visible on rendered pages.
- Increased risk of targeted phishing or social engineering attacks against staff whose browsers executed the injected script.
- Unauthorized actions performed in the context of the viewing user, limited to what that user’s browser and privileges allow.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior or unexpected changes to pages and products.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/cost-of-goods-for-woocommerce/tags/4.1.0/includes/class-alg-wc-cog-products.php#L119
- https://plugins.trac.wordpress.org/browser/cost-of-goods-for-woocommerce/tags/4.1.0/includes/class-alg-wc-cog-products.php#L133
- https://plugins.trac.wordpress.org/browser/cost-of-goods-for-woocommerce/tags/4.1.0/includes/class-alg-wc-cog-products.php#L158
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3524832%40cost-of-goods-for-woocommerce&new=3524832%40cost-of-goods-for-woocommerce&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/aedde7a7-018d-45f9-8f67-f4ea01be894e?source=cve
