CVE Catalog

CVE-2026-12137

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

The SysBasics Customize My Account plugin for WooCommerce is vulnerable to reflected Cross-Site Scripting via the 'tab' parameter in all versions up to and including 4.3.6 due to insufficient input sanitization and output escaping. Attackers can inject arbitrary web scripts, requiring the victim to be logged in with at least Shop Manager-level access.

Risk Assessment

This vulnerability poses a risk of injecting malicious code, which could lead to user data theft or account takeover. However, it requires the victim to be logged in to the WordPress admin dashboard.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability. Additionally, access to the admin panel should be restricted to trusted users.

Original NVD description (English source)

The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Because the vulnerable plugin_options_page() function is only rendered within the WordPress admin dashboard, successful exploitation requires the targeted victim to be logged in with Shop Manager-level access or higher.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS