Skip to main content

Customize My Account for WooCommerce CVE-2026-57358

| EUVDEUVD-2026-41357 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-2649-c4jx-cgj8
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-reachable reflected XSS needing a victim click (UI:R) with cross-context script execution (S:C) yielding limited browser-side C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 12:16 vuln.today
CVE Published
Jul 02, 2026 - 11:15 cve.org
HIGH 7.1

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Customize My Account for WooCommerce <= 4.3.9 versions.

AnalysisAI

Reflected Cross-Site Scripting in the Customize My Account for WooCommerce WordPress plugin (versions 4.3.9 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The flaw carries a CVSS 7.1 rating driven by a scope change (S:C), meaning script execution crosses the plugin's security boundary into the wider WordPress session context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious link with XSS payload
Delivery
Deliver link to victim via phishing
Exploit
Victim clicks and request reaches plugin
Execution
Payload reflected unsanitized into response
Persist
Script executes in victim browser
Impact
Steal session or perform actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the target WordPress site to have the Customize My Account for WooCommerce plugin (version 4.3.9 or earlier) installed and active, and requires a victim to click an attacker-crafted link (UI:R) that reaches the vulnerable reflected parameter - the attack cannot self-propagate. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, base 7.1) indicates network-reachable, low-complexity exploitation requiring no privileges but mandatory user interaction (UI:R) - the victim must click a crafted link, which is the primary limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL to the vulnerable WordPress site containing a malicious JavaScript payload in a reflected parameter handled by the plugin, then distributes it via phishing email, forum post, or social media to logged-in customers or administrators. When a victim clicks the link, the unsanitized payload is reflected into the page and executes in their browser session, allowing session cookie theft, forced actions, or credential harvesting. …
Remediation No vendor-released patch version is identified in the available data; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/customize-my-account-for-woocommerce/vulnerability/wordpress-customize-my-account-for-woocommerce-plugin-4-3-9-reflected-cross-site-scripting-xss-vulnerability) and the WordPress plugin repository for a release newer than 4.3.9 and upgrade to it as soon as one is confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress instances running Customize My Account for WooCommerce versions 4.3.9 or earlier; notify users and administrators to avoid clicking suspicious links from untrusted sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57358 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy