CVE-2026-3574

Name of the Vulnerable Software and Affected Versions Experto Dashboard for WooCommerce plugin for WordPress versions up to and including 1.0.4

Description The Experto Dashboard for WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting through its settings fields, including 'Navigation Font Size', 'Navigation Font Weight', 'Heading Font Size', 'Heading Font Weight', 'Text Font Size', and 'Text Font Weight'. The root cause is insufficient input sanitization, specifically the absence of a sanitize callback in register setting(), and a lack of output escaping, with missing esc attr() in the field callback() printf output. This allows authenticated attackers with Administrator-level access or higher to inject arbitrary web scripts into the plugin settings page, which will execute when any user accesses the settings page. This issue is limited to multi-site installations and those where unfiltered html has been disabled.

Recommendations Update to a version beyond 1.0.4.