Skip to main content

Customize My Account CVE-2026-15324

| EUVDEUVD-2026-44902 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-16 Wordfence GHSA-3xrj-6q9q-73hr
4.4
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.0 MEDIUM

PR:H reflects mandatory shop manager authentication; UI:R because a victim must visit the injected page to complete exploitation; S:C captures cross-user stored XSS impact.

3.1 AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 09:09 vuln.today
CVE Published
Jul 16, 2026 - 08:26 cve.org
MEDIUM 4.4

DescriptionNVD

The SysBasics Customize My Account for WooCommerce - Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'row_type' parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (all versions through 4.4.14) allows authenticated shop managers to persist malicious scripts via the unsanitized 'row_type' parameter, executing in any user's browser upon visiting the compromised My Account page. The CVSS scope change (S:C) confirms cross-user impact - injected scripts run in victim sessions, enabling session hijacking or credential theft beyond the attacker's own context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as shop manager
Delivery
Access Customize My Account plugin settings
Exploit
Inject script payload into row_type parameter
Execution
Payload stored in database
Persist
Victim user visits WooCommerce My Account page
Impact
Malicious script executes in victim's browser session

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account with shop manager-level access or higher (administrator also satisfies this). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 base score of 4.4 (Medium) reflects the genuine risk ceiling here. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious or compromised shop manager authenticates to the WordPress admin panel and uses the Customize My Account plugin's navigation row configuration to submit a crafted 'row_type' value containing a JavaScript payload. The script is stored in the database without sanitization, and subsequently executes in every authenticated user's browser - including site administrators - when they visit the WooCommerce My Account page, potentially harvesting session cookies or admin credentials. …
Remediation Update the Customize My Account for WooCommerce plugin beyond version 4.4.14 as soon as a patched release is confirmed available in the WordPress plugin repository; the upstream fix has been committed (SVN changeset 3606867 at https://plugins.trac.wordpress.org/changeset?reponame=&old=3606867%40customize-my-account-for-woocommerce&new=3606867%40customize-my-account-for-woocommerce), but the exact released version number has not been independently confirmed from available data - verify the current version in the WordPress admin dashboard or plugin repository before updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy