CVE-2026-12136 Overview
CVE-2026-12136 is a Stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Customize My Account For WooCommerce plugin for WordPress, affecting all versions up to and including 4.3.6. The flaw resides in the sysbasics_user_avatar shortcode, where user-supplied attributes are concatenated into an HTML style attribute without proper sanitization or escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes in the browser of any user viewing the affected page.
Critical Impact
Authenticated contributors can inject persistent JavaScript into WordPress pages, enabling session theft, administrative action hijacking, and visitor browser compromise across affected WooCommerce storefronts.
Affected Products
- Customize My Account For WooCommerce plugin for WordPress
- All versions up to and including 4.3.6
- WordPress sites with WooCommerce that allow Contributor-level or higher accounts
Discovery Timeline
- 2026-06-18 - CVE-2026-12136 published to NVD
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-12136
Vulnerability Analysis
The vulnerability exists in the wcmamtx_get_avatar_default() function of the Customize My Account For WooCommerce plugin. This function processes the sysbasics_user_avatar shortcode and accepts four user-controlled attributes: min_height, min_width, max_height, and max_width. These attributes are concatenated directly into the extra_attr parameter passed to WordPress's get_avatar() function, where they become part of the rendered style attribute on the avatar's <img> element.
Because the plugin neither sanitizes the inputs nor escapes the output, an attacker can break out of the style context and inject arbitrary HTML attributes or script payloads. The injected content persists in the database as page content, executing every time a visitor renders the affected page.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. Shortcode attribute values flow into an HTML attribute sink without calls to esc_attr(), sanitize_text_field(), or equivalent escaping. The plugin trusts that shortcode attribute values are benign, but WordPress Contributors can author posts containing arbitrary shortcodes and attributes.
Attack Vector
An attacker registers or compromises a WordPress account with Contributor permissions or higher. The attacker authors a post or page containing the sysbasics_user_avatar shortcode with a malicious payload embedded in one of the dimension attributes, such as min_height carrying a value that closes the style attribute and introduces an onload or onerror handler. When an administrator previews the submission or any visitor loads the published page, the injected script executes in their session context. This enables cookie theft, CSRF action chaining against /wp-admin/, and arbitrary DOM manipulation. The vulnerability mechanics are detailed in the Wordfence Vulnerability Analysis and the corresponding WordPress Plugin Code Reference.
Detection Methods for CVE-2026-12136
Indicators of Compromise
- Database entries in wp_posts containing the sysbasics_user_avatar shortcode with non-numeric values in min_height, min_width, max_height, or max_width attributes.
- Rendered HTML containing style attributes with unexpected tokens such as quotes, angle brackets, or JavaScript event handlers near avatar elements.
- Outbound browser requests from page visitors to attacker-controlled domains originating from WooCommerce account pages.
Detection Strategies
- Scan post and page content for the sysbasics_user_avatar shortcode and validate that dimension attributes contain only numeric values.
- Inspect web server access logs for unusual POST requests to /wp-admin/post.php or /wp-admin/post-new.php from Contributor-level accounts.
- Review recently published or pending content from non-Editor users for shortcode-based injection attempts.
Monitoring Recommendations
- Alert on creation or modification of WordPress users granted Contributor or higher roles outside expected workflows.
- Monitor browser-side telemetry for script execution originating from WooCommerce my-account pages to unfamiliar domains.
- Track plugin version inventory and flag any WordPress instance running Customize My Account For WooCommerce 4.3.6 or earlier.
How to Mitigate CVE-2026-12136
Immediate Actions Required
- Update the Customize My Account For WooCommerce plugin to a version newer than 4.3.6 as soon as the vendor publishes a fixed release.
- Audit all existing posts and pages containing the sysbasics_user_avatar shortcode and remove any with non-numeric dimension attributes.
- Review the Contributor and Author user list and remove accounts that should not retain content authoring privileges.
Patch Information
The vendor committed a fix referenced in the WordPress Plugin Changeset on the WordPress.org plugin repository. Site administrators should upgrade to the latest available release that includes this changeset. Refer to the Wordfence Vulnerability Analysis for the confirmed patched version.
Workarounds
- Temporarily restrict the Contributor role from using shortcodes by employing a role editor plugin or custom capability filter until patching is complete.
- Deploy a Web Application Firewall (WAF) rule that blocks requests containing the sysbasics_user_avatar shortcode with non-numeric values in dimension parameters.
- Disable or uninstall the Customize My Account For WooCommerce plugin if it is not actively required for business operations.
# Configuration example: locate vulnerable shortcode usage in the database
wp post list --post_status=any --format=ids \
| xargs -I {} wp post get {} --field=post_content \
| grep -n 'sysbasics_user_avatar'
# Check installed plugin version
wp plugin get customize-my-account-for-woocommerce --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
