Description
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Published: 2026-06-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected cross‑site scripting vulnerability exists in the ultimate‑woocommerce‑auction‑pro WordPress plugin versions up to 2.4.5. The flaw arises from an unsanitised parameter that is echoed back to the user interface, allowing an attacker to inject arbitrary JavaScript. When executed against administrators or other privileged users, the injected script could read or modify session data, trigger actions on behalf of the user, or redirect to malicious sites, thereby compromising the confidentiality, integrity, or availability of the admin account.

Affected Systems

All installations of Ultimate WooCommerce Auction Pro with versions 2.4.5 or earlier are affected. The plugin is distributed as a WordPress add‑on and may be present in any WordPress site that uses the auction functionality provided by this vendor.

Risk and Exploitability

The vulnerability is exploitable through the web interface; an attacker only needs to craft a URL containing the unauthenticated parameter (uwa_manage_auctions) and lure a privileged user to visit it. The CVSS score of 7.1 is publicly available, and the EPSS score is not listed, suggesting low to moderate prevalence. The vulnerability is not currently listed in the CISA KEV catalog, but its potential to compromise administrator accounts means it should be treated with high priority.

Generated by OpenCVE AI on June 22, 2026 at 15:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ultimate WooCommerce Auction Pro to version 2.4.6 or later
  • If an immediate update is not possible, block access to the uwa_manage_auctions parameter by adding a rewrite rule in the .htaccess file that redirects or returns a 404 for any request containing that parameter
  • Deploy a web application firewall that filters or blocks reflected XSS payloads on the affected endpoint, such as disabling script tags or matching malicious input patterns

Generated by OpenCVE AI on June 22, 2026 at 15:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Ultimate-woocommerce-auction-pro
Ultimate-woocommerce-auction-pro ultimate-woocommerce-auction-pro
Wordpress
Wordpress wordpress
Vendors & Products Ultimate-woocommerce-auction-pro
Ultimate-woocommerce-auction-pro ultimate-woocommerce-auction-pro
Wordpress
Wordpress wordpress

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 22 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Title Ultimate WooCommerce Auction Pro <= 2.4.5 - Reflected XSS via uwa_manage_auctions
References

Subscriptions

Ultimate-woocommerce-auction-pro Ultimate-woocommerce-auction-pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-22T12:55:31.944Z

Reserved: 2026-03-16T10:30:53.657Z

Link: CVE-2026-4259

cve-icon Vulnrichment

Updated: 2026-06-22T12:55:19.365Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:32Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')