CVE-2026-12137
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk11th percentile — higher than 11% of all known CVEs
Summary
The SysBasics Customize My Account plugin for WooCommerce is vulnerable to reflected Cross-Site Scripting via the 'tab' parameter in all versions up to and including 4.3.6 due to insufficient input sanitization and output escaping. Attackers can inject arbitrary web scripts, requiring the victim to be logged in with at least Shop Manager-level access.
Risk Assessment
This vulnerability poses a risk of injecting malicious code, which could lead to user data theft or account takeover. However, it requires the victim to be logged in to the WordPress admin dashboard.
Recommendation
It is recommended to update the plugin to the latest version to mitigate this vulnerability. Additionally, access to the admin panel should be restricted to trusted users.
Original NVD description (English source)
The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Because the vulnerable plugin_options_page() function is only rendered within the WordPress admin dashboard, successful exploitation requires the targeted victim to be logged in with Shop Manager-level access or higher.

