PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12137 phppoet CVE debrief

The SysBasics Customize My Account for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping. Successful exploitation requires the victim to be logged in with Shop Manager-level access or higher within the WordPress admin dashboard. The vulnerability has a CVSS score of 6.1 and is classified as MEDIUM severity.

Vendor
phppoet
Product
SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-18
Advisory published
2026-06-18
Advisory updated
2026-06-18

Who should care

Administrators and users with Shop Manager-level access or higher of WordPress installations using the SysBasics Customize My Account for WooCommerce plugin, especially those with public-facing dashboards, should be aware of this vulnerability and take necessary precautions to prevent exploitation.

Technical summary

The vulnerability exists in the plugin_options_page() function of the SysBasics Customize My Account for WooCommerce plugin, which is only rendered within the WordPress admin dashboard. The 'tab' parameter is not properly sanitized, allowing unauthenticated attackers to inject arbitrary web scripts. These scripts can be executed if a user with Shop Manager-level access or higher can be tricked into performing an action such as clicking on a link. The vulnerability requires user interaction and specific access levels for exploitation.

Defensive priority

Medium priority due to the required access level for exploitation and the need for user interaction.

Recommended defensive actions

  • Update to a patched version of the plugin if available.
  • Implement Content Security Policy (CSP) to restrict script execution.
  • Monitor for suspicious dashboard activity.
  • Restrict access to the WordPress admin dashboard.
  • Educate users on safe browsing practices.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-06-18T08:16:33.610Z and was last modified on 2026-06-18T19:16:19.843Z. The vulnerability was reported by [email protected]. Evidence is limited to public CVE and NVD details. Defenders should verify affected product deployments and review official advisories for scope and severity. Additional information may be needed for thorough risk assessment.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T08:16:33.610Z and has not been modified since then.