CVE-2026-12137: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in phppoet SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager
The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager WordPress plugin is vulnerable to reflected Cross-Site Scripting (XSS) via the 'tab' parameter in all versions up to and including 4.3.6. This vulnerability arises from insufficient input sanitization and output escaping. Exploitation requires the victim to be logged in with Shop Manager-level access or higher in the WordPress admin dashboard. An attacker can inject arbitrary scripts that execute when a user clicks a crafted link. The vulnerability has a medium severity rating with a CVSS score of 6.1.
AI Analysis
Technical Summary
CVE-2026-12137 describes a reflected Cross-Site Scripting vulnerability in the SysBasics Customize My Account for WooCommerce plugin for WordPress. The issue is due to improper neutralization of input in the 'tab' parameter handled by the plugin_options_page() function, which is rendered only in the WordPress admin dashboard. Because the function is accessible only to users with Shop Manager-level privileges or higher, exploitation requires the victim to be authenticated with such access. The vulnerability allows injection of arbitrary web scripts that execute upon user interaction, potentially leading to limited confidentiality and integrity impacts within the admin context. No official patch or remediation guidance is currently provided by the vendor, and no known exploits are reported in the wild.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary scripts in the context of the WordPress admin dashboard for users with Shop Manager-level or higher privileges. This can lead to limited confidentiality and integrity impacts, such as session hijacking or unauthorized actions within the admin interface. There is no indication of availability impact. The attack requires user interaction and authenticated access at a privileged level.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Shop Manager-level and higher access to trusted users only. Avoid clicking on untrusted links that could trigger the reflected XSS. Monitor for updates from the plugin vendor regarding official patches or mitigations.
CVE-2026-12137: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in phppoet SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager
Description
The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager WordPress plugin is vulnerable to reflected Cross-Site Scripting (XSS) via the 'tab' parameter in all versions up to and including 4.3.6. This vulnerability arises from insufficient input sanitization and output escaping. Exploitation requires the victim to be logged in with Shop Manager-level access or higher in the WordPress admin dashboard. An attacker can inject arbitrary scripts that execute when a user clicks a crafted link. The vulnerability has a medium severity rating with a CVSS score of 6.1.
CVSS v3.1
Score 6.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-12137 describes a reflected Cross-Site Scripting vulnerability in the SysBasics Customize My Account for WooCommerce plugin for WordPress. The issue is due to improper neutralization of input in the 'tab' parameter handled by the plugin_options_page() function, which is rendered only in the WordPress admin dashboard. Because the function is accessible only to users with Shop Manager-level privileges or higher, exploitation requires the victim to be authenticated with such access. The vulnerability allows injection of arbitrary web scripts that execute upon user interaction, potentially leading to limited confidentiality and integrity impacts within the admin context. No official patch or remediation guidance is currently provided by the vendor, and no known exploits are reported in the wild.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary scripts in the context of the WordPress admin dashboard for users with Shop Manager-level or higher privileges. This can lead to limited confidentiality and integrity impacts, such as session hijacking or unauthorized actions within the admin interface. There is no indication of availability impact. The attack requires user interaction and authenticated access at a privileged level.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Shop Manager-level and higher access to trusted users only. Avoid clicking on untrusted links that could trigger the reflected XSS. Monitor for updates from the plugin vendor regarding official patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-06-12T17:00:40.214Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a339fe1f198dc38c15adc84
Added to database: 6/18/2026, 7:36:01 AM
Last enriched: 6/18/2026, 7:50:12 AM
Last updated: 6/18/2026, 8:50:33 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.