Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
PR:H reflects mandatory shop manager authentication; UI:R because a victim must visit the injected page to complete exploitation; S:C captures cross-user stored XSS impact.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
The SysBasics Customize My Account for WooCommerce - Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'row_type' parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the SysBasics Customize My Account for WooCommerce plugin (all versions through 4.4.14) allows authenticated shop managers to persist malicious scripts via the unsanitized 'row_type' parameter, executing in any user's browser upon visiting the compromised My Account page. The CVSS scope change (S:C) confirms cross-user impact - injected scripts run in victim sessions, enabling session hijacking or credential theft beyond the attacker's own context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user account with shop manager-level access or higher (administrator also satisfies this). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 base score of 4.4 (Medium) reflects the genuine risk ceiling here. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious or compromised shop manager authenticates to the WordPress admin panel and uses the Customize My Account plugin's navigation row configuration to submit a crafted 'row_type' value containing a JavaScript payload. The script is stored in the database without sanitization, and subsequently executes in every authenticated user's browser - including site administrators - when they visit the WooCommerce My Account page, potentially harvesting session cookies or admin credentials. … |
| Remediation | Update the Customize My Account for WooCommerce plugin beyond version 4.4.14 as soon as a patched release is confirmed available in the WordPress plugin repository; the upstream fix has been committed (SVN changeset 3606867 at https://plugins.trac.wordpress.org/changeset?reponame=&old=3606867%40customize-my-account-for-woocommerce&new=3606867%40customize-my-account-for-woocommerce), but the exact released version number has not been independently confirmed from available data - verify the current version in the WordPress admin dashboard or plugin repository before updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44902
GHSA-3xrj-6q9q-73hr