Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attacker is unauthenticated (PR:N) but victim must be an active Shop Manager; scope changes into admin context enabling limited data read and action (C:L/I:L).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The SysBasics Customize My Account for WooCommerce - Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Because the vulnerable plugin_options_page() function is only rendered within the WordPress admin dashboard, successful exploitation requires the targeted victim to be logged in with Shop Manager-level access or higher.
AnalysisAI
Reflected Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (versions ≤ 4.3.6) enables unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'tab' parameter in the admin settings page. Exploitation is constrained by a critical precondition: the vulnerable plugin_options_page() function is rendered exclusively in the WordPress admin dashboard, meaning the targeted victim must hold Shop Manager-level access or higher and be socially engineered into clicking a crafted link while authenticated. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two simultaneous preconditions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 base score of 6.1 (Medium) reflects the network accessibility and scope change inherent to reflected XSS, but materially overstates the practical risk in isolation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious URL targeting the WooCommerce plugin settings page with a JavaScript payload embedded in the 'tab' query parameter (e.g., `wp-admin/admin.php?page=customize-my-account&tab=<script>...`) and delivers it to a Shop Manager via a phishing email or poisoned link on a trusted site. When the Shop Manager clicks the link while authenticated, their browser executes the attacker's script within the `wp-admin` origin, enabling session token theft or automated WooCommerce actions such as exporting customer data. … |
| Remediation | An upstream source-level fix is available via the WordPress plugin SVN changeset at https://plugins.trac.wordpress.org/changeset?old=3571110%40customize-my-account-for-woocommerce&new=3571110%40customize-my-account-for-woocommerce; however, a specific patched release version number is not independently confirmed from the provided data - administrators should update to the latest available version via the WordPress plugin repository and verify the installed version exceeds 4.3.6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37861
GHSA-7jvm-9fg9-5j8v