PatchSiren cyber security CVE debrief
CVE-2026-12137 phppoet CVE debrief
The SysBasics Customize My Account for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping. Successful exploitation requires the victim to be logged in with Shop Manager-level access or higher within the WordPress admin dashboard. The vulnerability has a CVSS score of 6.1 and is classified as MEDIUM severity.
- Vendor
- phppoet
- Product
- SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-18
- Original CVE updated
- 2026-06-18
- Advisory published
- 2026-06-18
- Advisory updated
- 2026-06-18
Who should care
Administrators and users with Shop Manager-level access or higher of WordPress installations using the SysBasics Customize My Account for WooCommerce plugin, especially those with public-facing dashboards, should be aware of this vulnerability and take necessary precautions to prevent exploitation.
Technical summary
The vulnerability exists in the plugin_options_page() function of the SysBasics Customize My Account for WooCommerce plugin, which is only rendered within the WordPress admin dashboard. The 'tab' parameter is not properly sanitized, allowing unauthenticated attackers to inject arbitrary web scripts. These scripts can be executed if a user with Shop Manager-level access or higher can be tricked into performing an action such as clicking on a link. The vulnerability requires user interaction and specific access levels for exploitation.
Defensive priority
Medium priority due to the required access level for exploitation and the need for user interaction.
Recommended defensive actions
- Update to a patched version of the plugin if available.
- Implement Content Security Policy (CSP) to restrict script execution.
- Monitor for suspicious dashboard activity.
- Restrict access to the WordPress admin dashboard.
- Educate users on safe browsing practices.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-06-18T08:16:33.610Z and was last modified on 2026-06-18T19:16:19.843Z. The vulnerability was reported by [email protected]. Evidence is limited to public CVE and NVD details. Defenders should verify affected product deployments and review official advisories for scope and severity. Additional information may be needed for thorough risk assessment.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T08:16:33.610Z and has not been modified since then.