Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Network-reachable stored XSS requiring only Contributor auth (PR:L); scope changes to victim browsers; no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasics_user_avatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes (min_height, min_width, max_height, max_width) in the wcmamtx_get_avatar_default() function, which are concatenated unescaped into the get_avatar() extra_attr style attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the Customize My Account For WooCommerce WordPress plugin (versions up to and including 4.3.6) allows authenticated attackers with Contributor-level access to inject persistent JavaScript payloads via the 'sysbasics_user_avatar' shortcode. The flaw originates in the wcmamtx_get_avatar_default() function, which concatenates unescaped user-supplied shortcode attributes (min_height, min_width, max_height, max_width) directly into the get_avatar() extra_attr style attribute, bypassing sanitization entirely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold at minimum a Contributor-level WordPress account on the target site - this is an authenticated attack (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N accurately characterizes the attack surface: network-reachable, low complexity, requires only Contributor-level authentication (PR:L), and has a scope change (S:C) because the injected script executes in the context of other users' browsers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a Contributor-level WordPress account on a target site running the plugin at version 4.3.6 or earlier, then creates or edits a page using the sysbasics_user_avatar shortcode, supplying a crafted min_height or max_width attribute value that breaks out of the style attribute context and injects a JavaScript payload. When any authenticated user - including administrators - subsequently visits that page, the stored script executes in their browser session, enabling the attacker to exfiltrate session cookies or perform actions on behalf of the victim. … |
| Remediation | An upstream fix has been committed to the WordPress plugin SVN repository at changeset revision 3571110 (https://plugins.trac.wordpress.org/changeset?old=3571110%40customize-my-account-for-woocommerce&new=3571110%40customize-my-account-for-woocommerce); however, the exact patched release version number is not confirmed from the available input data - site administrators should update to the latest available version in the WordPress Plugin Directory and verify it exceeds 4.3.6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37859
GHSA-84h2-q86p-qhrg