Stored XSS Vulnerability in SysBasics Customize My Account for WooCommerce <= 4.3.6 (CVE-2026-12136)

Vulnerability Overview Vulnerability Name: SysBasics Customize My Account for WooCommerce <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CVE ID: CVE-2026-12136 CVSS Score: 6.4 (Medium) Release Date: June 17, 2026 Last Updated: June 18, 2026 Researcher: Chloe Chamberland - Wordfence PRISM Affected Versions Software Type: Plugin Software Slug: customize-my-account-for-woocommerce Affected Versions: <= 4.3.6 Fixed Version: 4.3.7 Remediation Fix: Update to version 4.3.7 or a newer patched version Vulnerability Description This vulnerability exists in the Customize My Account for WooCommerce plugin due to improper handling of user input for the shortcode, leading to a Stored Cross-Site Scripting (XSS) attack. Attackers can execute arbitrary scripts when users visit compromised pages by injecting malicious input. References plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org Related Vulnerabilities 1. SysBasics Customize My Account for WooCommerce <= 4.3.6 - Reflected Cross-Site Scripting via tab Parameter - CVE ID: CVE-2026-12137 - CVSS Score: 6.1 - Researcher: Chloe Chamberland, PRISM - Release Date: June 17, 2026 2. SysBasics Customize My Account for WooCommerce <= 2.8.22 - Reflected Cross-Site Scripting - CVE ID: CVE-2025-24592 - CVSS Score: 6.1 - Researcher: Le Ngoc Anh - Release Date: December 21, 2024 3. SysBasics Customize My Account for WooCommerce <= 2.7.29 - Reflected Cross-Site Scripting via tab Parameter - CVE ID: CVE-2024-10837 - CVSS Score: 6.1 - Researcher: vgo0 - Release Date: November 9, 2024 4. Customize My Account for WooCommerce <= 1.8.3 - Cross-Site Request Forgery via restore_my_account_tabs - CVE ID: CVE-2023-51369 - CVSS Score: 4.3 - Researcher: thernv - Release Date: December 26, 2023 Summary This vulnerability involves a Stored Cross-Site Scripting (XSS) attack affecting versions <= 4.3.6 of the SysBasics Customize My Account for WooCommerce plugin. Users are advised to update to version 4.3.7 or later as soon as possible to remediate this issue.

Goal Reached Thanks to every supporter — we hit 100%!

Stored XSS Vulnerability in SysBasics Customize My Account for WooCommerce <= 4.3.6 (CVE-2026-12136)

More from this source