Skip to main content

WooCommerce My Account CVE-2026-12136

| EUVDEUVD-2026-37859 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-18 Wordfence GHSA-84h2-q86p-qhrg
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Network-reachable stored XSS requiring only Contributor auth (PR:L); scope changes to victim browsers; no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 08:05 vuln.today
CVE Published
Jun 18, 2026 - 06:50 cve.org
MEDIUM 6.4

DescriptionCVE.org

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasics_user_avatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes (min_height, min_width, max_height, max_width) in the wcmamtx_get_avatar_default() function, which are concatenated unescaped into the get_avatar() extra_attr style attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the Customize My Account For WooCommerce WordPress plugin (versions up to and including 4.3.6) allows authenticated attackers with Contributor-level access to inject persistent JavaScript payloads via the 'sysbasics_user_avatar' shortcode. The flaw originates in the wcmamtx_get_avatar_default() function, which concatenates unescaped user-supplied shortcode attributes (min_height, min_width, max_height, max_width) directly into the get_avatar() extra_attr style attribute, bypassing sanitization entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor-level WordPress account
Delivery
Craft malicious sysbasics_user_avatar shortcode attribute
Exploit
Inject payload into post or page content
Execution
Victim browses injected page
Persist
Stored script executes in victim's browser
Impact
Exfiltrate session token or hijack privileged session

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold at minimum a Contributor-level WordPress account on the target site - this is an authenticated attack (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N accurately characterizes the attack surface: network-reachable, low complexity, requires only Contributor-level authentication (PR:L), and has a scope change (S:C) because the injected script executes in the context of other users' browsers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a Contributor-level WordPress account on a target site running the plugin at version 4.3.6 or earlier, then creates or edits a page using the sysbasics_user_avatar shortcode, supplying a crafted min_height or max_width attribute value that breaks out of the style attribute context and injects a JavaScript payload. When any authenticated user - including administrators - subsequently visits that page, the stored script executes in their browser session, enabling the attacker to exfiltrate session cookies or perform actions on behalf of the victim. …
Remediation An upstream fix has been committed to the WordPress plugin SVN repository at changeset revision 3571110 (https://plugins.trac.wordpress.org/changeset?old=3571110%40customize-my-account-for-woocommerce&new=3571110%40customize-my-account-for-woocommerce); however, the exact patched release version number is not confirmed from the available input data - site administrators should update to the latest available version in the WordPress Plugin Directory and verify it exceeds 4.3.6. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12136 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy