CVE Catalog

CVE-2026-4110

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

The ultimate-woocommerce-auction-pro plugin for WordPress up to version 2.4.5 does not sanitize and escape a parameter before outputting it back on the page, leading to a Reflected Cross-Site Scripting vulnerability. This could be exploited against high privilege users such as admins.

Risk Assessment

Exploitation of this vulnerability could lead to the compromise of admin accounts, posing a serious security threat to the entire site.

Recommendation

It is recommended to update the plugin to the latest version that includes security fixes, and to review and validate input parameters to prevent XSS attacks.

Original NVD description (English source)

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Vulnerability data from NVD (NIST) · CISA KEV · EPSS