Skip to main content

Customize My Account WooCommerce CVE-2026-12137

| EUVDEUVD-2026-37861 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-18 Wordfence GHSA-7jvm-9fg9-5j8v
6.1
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Attacker is unauthenticated (PR:N) but victim must be an active Shop Manager; scope changes into admin context enabling limited data read and action (C:L/I:L).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 08:07 vuln.today
CVE Published
Jun 18, 2026 - 06:50 cve.org
MEDIUM 6.1

DescriptionCVE.org

The SysBasics Customize My Account for WooCommerce - Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Because the vulnerable plugin_options_page() function is only rendered within the WordPress admin dashboard, successful exploitation requires the targeted victim to be logged in with Shop Manager-level access or higher.

AnalysisAI

Reflected Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (versions ≤ 4.3.6) enables unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'tab' parameter in the admin settings page. Exploitation is constrained by a critical precondition: the vulnerable plugin_options_page() function is rendered exclusively in the WordPress admin dashboard, meaning the targeted victim must hold Shop Manager-level access or higher and be socially engineered into clicking a crafted link while authenticated. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious URL with XSS in 'tab' parameter
Delivery
Phish authenticated Shop Manager via email or poisoned link
Exploit
Victim clicks link in active admin session
Execution
Browser reflects script in wp-admin dashboard context
Persist
Execute arbitrary JavaScript as Shop Manager
Impact
Exfiltrate nonces or session cookies

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous preconditions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 base score of 6.1 (Medium) reflects the network accessibility and scope change inherent to reflected XSS, but materially overstates the practical risk in isolation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious URL targeting the WooCommerce plugin settings page with a JavaScript payload embedded in the 'tab' query parameter (e.g., `wp-admin/admin.php?page=customize-my-account&tab=<script>...`) and delivers it to a Shop Manager via a phishing email or poisoned link on a trusted site. When the Shop Manager clicks the link while authenticated, their browser executes the attacker's script within the `wp-admin` origin, enabling session token theft or automated WooCommerce actions such as exporting customer data. …
Remediation An upstream source-level fix is available via the WordPress plugin SVN changeset at https://plugins.trac.wordpress.org/changeset?old=3571110%40customize-my-account-for-woocommerce&new=3571110%40customize-my-account-for-woocommerce; however, a specific patched release version number is not independently confirmed from the provided data - administrators should update to the latest available version via the WordPress plugin repository and verify the installed version exceeds 4.3.6. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12137 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy