Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network-reachable reflected XSS needing a victim click (UI:R) with cross-context script execution (S:C) yielding limited browser-side C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Customize My Account for WooCommerce <= 4.3.9 versions.
AnalysisAI
Reflected Cross-Site Scripting in the Customize My Account for WooCommerce WordPress plugin (versions 4.3.9 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The flaw carries a CVSS 7.1 rating driven by a scope change (S:C), meaning script execution crosses the plugin's security boundary into the wider WordPress session context. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target WordPress site to have the Customize My Account for WooCommerce plugin (version 4.3.9 or earlier) installed and active, and requires a victim to click an attacker-crafted link (UI:R) that reaches the vulnerable reflected parameter - the attack cannot self-propagate. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base 7.1) indicates network-reachable, low-complexity exploitation requiring no privileges but mandatory user interaction (UI:R) - the victim must click a crafted link, which is the primary limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL to the vulnerable WordPress site containing a malicious JavaScript payload in a reflected parameter handled by the plugin, then distributes it via phishing email, forum post, or social media to logged-in customers or administrators. When a victim clicks the link, the unsanitized payload is reflected into the page and executes in their browser session, allowing session cookie theft, forced actions, or credential harvesting. … |
| Remediation | No vendor-released patch version is identified in the available data; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/customize-my-account-for-woocommerce/vulnerability/wordpress-customize-my-account-for-woocommerce-plugin-4-3-9-reflected-cross-site-scripting-xss-vulnerability) and the WordPress plugin repository for a release newer than 4.3.9 and upgrade to it as soon as one is confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress instances running Customize My Account for WooCommerce versions 4.3.9 or earlier; notify users and administrators to avoid clicking suspicious links from untrusted sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41357
GHSA-2649-c4jx-cgj8