Description
The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasics_user_avatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes (min_height, min_width, max_height, max_width) in the wcmamtx_get_avatar_default() function, which are concatenated unescaped into the get_avatar() extra_attr style attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-06-18
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Customize My Account for WooCommerce plugin permits stored cross‑site scripting via the sysbasics_user_avatar shortcode attributes min_height, min_width, max_height, and max_width. Because these values are concatenated unescaped into the style attribute of get_avatar(), an attacker can inject arbitrary JavaScript. The injected payload is saved in the database and will execute in the browsers of any user who views a page containing the shortcode, allowing the attacker to run code in the context of the site.

Affected Systems

This flaw exists in the phppoet:SysBasics Customize My Account for WooCommerce plugin for WordPress. All releases up to and including version 4.3.6 are vulnerable. The plugin is commonly used on e‑commerce sites that require custom account pages, dashboards, or avatar management and operates within the WordPress environment.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity risk. The EPSS score is below 1%, suggesting that widespread exploitation is unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. However, the vulnerability requires an authenticated user with Contributor level or higher. An attacker can execute scripts by adding malicious attributes to the shortcode, which will run in any visitor’s browser when the page is rendered.

Generated by OpenCVE AI on June 18, 2026 at 18:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Customize My Account for WooCommerce plugin to a version newer than 4.3.6 to address the sanitization bug
  • If an immediate upgrade is not feasible, remove or disable the sysbasics_user_avatar shortcode from pages that are accessible to contributors to prevent the stored payload from being rendered
  • Restrict Contributor and other non‑admin roles from editing or inserting shortcodes that could exploit this vulnerability until a patch is applied

Generated by OpenCVE AI on June 18, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasics_user_avatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes (min_height, min_width, max_height, max_width) in the wcmamtx_get_avatar_default() function, which are concatenated unescaped into the get_avatar() extra_attr style attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title SysBasics Customize My Account for WooCommerce <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T12:31:19.266Z

Reserved: 2026-06-12T16:46:25.607Z

Link: CVE-2026-12136

cve-icon Vulnrichment

Updated: 2026-06-18T12:31:13.670Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:45:03Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')