Description
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Published: 2026-06-22
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Ultimate WooCommerce Auction Pro plugin for WordPress through version 2.4.5 contains an unsanitized, unescaped parameter named uwa_auctions_bids_list. When the plugin outputs this value without filtering, malicious code supplied by an attacker is reflected in the browser. Because the output is rendered client‑side, the flaw allows an attacker to inject and execute arbitrary JavaScript in the context of any user who views the affected page, potentially capturing session cookies or performing actions on behalf of administrators.

Affected Systems

WordPress sites that have installed the Ultimate WooCommerce Auction Pro plugin version 2.4.5 or earlier are affected. The plugin, identified internally as ultimate-woocommerce-auction-pro, is distributed by an unnamed vendor; any installation that has not upgraded past 2.4.5 remains vulnerable.

Risk and Exploitability

The vulnerability is client‑side and can be triggered by visiting a URL or submitting an input that contains a crafted uwa_auctions_bids_list value. The attack vector is inferred from the description, which notes that it could be used against high‑privilege users. With a CVSS score of 6.1, the flaw represents moderate severity. EPSS is not reported, and the issue is not in the CISA KEV catalog, so the likelihood of active exploitation is unknown. Nonetheless, the primary risk is execution of attacker‑supplied script in the victim’s browser, opening the door to privilege escalation, session hijacking, or defacement if an admin or other privileged user views the page.

Generated by OpenCVE AI on June 22, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ultimate WooCommerce Auction Pro plugin to any version newer than 2.4.5, which removes the unsanitized parameter handling.
  • If upgrading is not immediately possible, implement server‑side validation and HTML‑encoding for the uwa_auctions_bids_list input before it is rendered to the page.
  • As a temporary measure, disable or remove the feature that processes uwa_auctions_bids_list through the plugin’s settings or through custom code until a patched version is available.

Generated by OpenCVE AI on June 22, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Ultimate-woocommerce-auction-pro
Ultimate-woocommerce-auction-pro ultimate-woocommerce-auction-pro
Wordpress
Wordpress wordpress
Vendors & Products Ultimate-woocommerce-auction-pro
Ultimate-woocommerce-auction-pro ultimate-woocommerce-auction-pro
Wordpress
Wordpress wordpress

Mon, 22 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 22 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Title Ultimate WooCommerce Auction Pro <= 2.4.5 - Reflected XSS via uwa_auctions_bids_list
References

Subscriptions

Ultimate-woocommerce-auction-pro Ultimate-woocommerce-auction-pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-22T16:34:10.426Z

Reserved: 2026-03-13T10:56:13.020Z

Link: CVE-2026-4110

cve-icon Vulnrichment

Updated: 2026-06-22T16:28:42.589Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:33Z

Weaknesses

No weakness.