What the vulnerability does
01Description
The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5.
Explanation of Vulnerability in Simple Terms
02Summary
The Sell BTC – Cryptocurrency Selling Calculator plugin for WordPress contains a cross-site scripting (XSS) vulnerability in versions 1.5 and earlier. An attacker can inject malicious JavaScript that executes in visitors' browsers without authentication or user interaction. The vulnerability affects multiple users across the site due to its changed scope, potentially compromising session tokens or redirecting users to phishing pages.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in visitors' browsers, stealing session data or redirecting users to phishing sites.
Potential impact on your site
04Site Impact
Visitors to your site may have their sessions hijacked, credentials stolen, or be redirected to malicious pages without your knowledge.
Conditions required to exploit
05Prerequisites
No authentication or user interaction required; attacker can exploit this remotely via a crafted request.
Key dates
06Disclosure timeline
January 31, 2026
CVE published
April 8, 2026
Record updated