CVE-2026-4259
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk4th percentile - higher than 4% of all known CVEs
Summary
The ultimate-woocommerce-auction-pro WordPress plugin through version 2.4.5 does not sanitize and escape a parameter before outputting it back on the page, leading to a reflected Cross-Site Scripting vulnerability. This can be exploited against high privilege users such as admins.
Risk Assessment
Exploitation of this vulnerability could lead to admin account takeover and allow attackers to execute malicious code in the victim's browser context, posing a serious security threat to the organization.
Recommendation
It is recommended to update the plugin to the latest version that includes security fixes and to conduct a security audit of the application to identify and mitigate potential threats.
Original NVD description (English source)
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

