How is CVE-2026-39437 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so the attacker must be able to send an HTTP request to the target WordPress site. Authentication (not-required): No account or session is needed; the attacker can deliver the malicious payload without any prior login. Victim interaction (required): A victim (typically a site visitor or admin) must click a crafted URL or otherwise load the attacker-controlled request in their browser for the script to execute. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond delivering the crafted link.

What is the impact of CVE-2026-39437?

Reads browser-accessible session cookies or authentication tokens belonging to the victim, which an attacker can use to impersonate that user. Injects and executes arbitrary JavaScript in the victim's browser session, enabling modification of visible page content or redirection to attacker-controlled sites. Exfiltrates form input or other data the victim submits while the malicious script is active. Causes limited disruption to the victim's browser session on the affected site, consistent with the CVSS availability impact rating of Low.

Back to search

HIGHCVE-2026-39437Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-39437: WordPress Min Max Step Quantity Limits Manager for WooCommerce plugin <= 5.2.2 - Reflected Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-39437?

Reflected Cross-Site Scripting (XSS) vulnerability in the Min Max Step Quantity Limits Manager for WooCommerce WordPress plugin, affecting versions 5.2.2 and earlier. The flaw is reachable over the network with no authentication required, but a victim must be tricked into visiting a crafted URL. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session token theft, page content modification, and limited availability disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as a fix version is published upstream.

Q: Is CVE-2026-39437 patched?

No fix version has been published upstream. HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream vendor ships a fix. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected Cross-Site Scripting (XSS) vulnerability in the Min Max Step Quantity Limits Manager for WooCommerce WordPress plugin, affecting versions 5.2.2 and earlier. The flaw is reachable over the network with no authentication required, but a victim must be tricked into visiting a crafted URL. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, enabling session token theft, page content modification, and limited availability disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as a fix version is published upstream.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle this plugin.

Available

Triage

HarborGuard scores this CVE at 7.1 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to route alerts to the appropriate team inbox inside each customer organization.

Available

Patch

No fix version has been published upstream. HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream vendor ships a fix. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so the attacker must be able to send an HTTP request to the target WordPress site.
AuthenticationNot required
No account or session is needed; the attacker can deliver the malicious payload without any prior login.
Victim interactionRequired
A victim (typically a site visitor or admin) must click a crafted URL or otherwise load the attacker-controlled request in their browser for the script to execute.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond delivering the crafted link.

Blast Radius

Reads browser-accessible session cookies or authentication tokens belonging to the victim, which an attacker can use to impersonate that user.
Injects and executes arbitrary JavaScript in the victim's browser session, enabling modification of visible page content or redirection to attacker-controlled sites.
Exfiltrates form input or other data the victim submits while the malicious script is active.
Causes limited disruption to the victim's browser session on the affected site, consistent with the CVSS availability impact rating of Low.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all customer images that include the WPFactory Min Max Step Quantity Limits Manager for WooCommerce plugin at version 5.2.2 or earlier. Because no upstream fix exists as of the publication date, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is published. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention. In the interim, compensating controls worth considering include network-policy isolation of the WordPress deployment to reduce exposure, egress filtering to limit JavaScript exfiltration targets, and, where operationally feasible, disabling or removing the affected plugin via a feature-flag or image-build toggle until a patch is available.

See how HarborGuard automates this

Affected packages

WPFactory / Min Max Step Quantity Limits Manager for WooCommerce
≤ 5.2.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified