CVE-2026-12136

{"id": "CVE-2026-12136", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-12136", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-18T12:31:10.891035Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.1}]}, "affected": [{"source": "security@wordfence.com", "affectedData": [{"vendor": "phppoet", "product": "SysBasics Customize My Account for WooCommerce \u2013 Dashboard, Endpoints, Avatar & Menu Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.3.6"}], "defaultStatus": "unaffected"}]}], "published": "2026-06-18T08:16:33.490", "references": [{"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.3.6/include/sysbasics-avatar-upload.php#L524", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.3.6/include/sysbasics-avatar-upload.php#L573", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.3.6/include/wcmamtx_extra_functions.php#L163", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3571110%40customize-my-account-for-woocommerce&new=3571110%40customize-my-account-for-woocommerce&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44d041ca-caa6-410d-b2d1-7a63208cc512?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasics_user_avatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes (min_height, min_width, max_height, max_width) in the wcmamtx_get_avatar_default() function, which are concatenated unescaped into the get_avatar() extra_attr style attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "lastModified": "2026-06-18T15:23:56.087", "sourceIdentifier": "security@wordfence.com"}