CVE-2026-15324 Overview
CVE-2026-15324 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the SysBasics Customize My Account for WooCommerce – Live My Account Customizer plugin for WordPress. The flaw resides in the handling of the row_type parameter and impacts all plugin versions up to and including 4.4.14. Insufficient input sanitization and output escaping allow authenticated users with shop manager privileges or higher to inject arbitrary JavaScript into plugin-rendered pages. Injected scripts execute in the browser of any user who accesses an affected page, enabling session hijacking, credential theft, or unauthorized administrative actions in the context of the victim. The weakness is classified as [CWE-79].
Critical Impact
Authenticated shop manager or higher accounts can persist arbitrary JavaScript in WooCommerce account pages, executing scripts against every visitor of the injected page.
Affected Products
- SysBasics Customize My Account for WooCommerce – Live My Account Customizer plugin for WordPress
- All versions up to and including 4.4.14
- WordPress sites running WooCommerce with the vulnerable plugin enabled
Discovery Timeline
- 2026-07-16 - CVE-2026-15324 published to NVD
- 2026-07-16 - Last updated in NVD database
Technical Details for CVE-2026-15324
Vulnerability Analysis
The vulnerability is a stored XSS issue triggered through the row_type parameter processed by the plugin's admin settings and account endpoint templates. The plugin persists the attacker-supplied value in the WordPress database and later renders it into HTML output without sufficient escaping. When any authenticated or unauthenticated visitor loads the affected My Account page, the browser executes the injected payload in the site's origin. Because the payload is stored, exploitation does not require repeated interaction — a single injection produces persistent execution on every subsequent page load. Attackers with shop manager access can leverage this to escalate privileges by targeting administrators who navigate the affected pages.
Root Cause
The plugin accepts the row_type value from admin-side forms and writes it to WordPress options without applying sanitization functions such as sanitize_text_field() or an allowlist of expected row types. On output, the templates in include/admin/admin_settings.php, include/admin/endpoint_form_response.php, and templates/myaccount/navigation/02.php echo the stored value without wrapping it in esc_attr() or esc_html(). The absence of contextual output escaping causes the attacker-controlled string to be interpreted as HTML and script content.
Attack Vector
An authenticated attacker with shop manager privileges submits a crafted row_type value containing HTML or JavaScript through the plugin's admin configuration interface. The malicious value is stored in the WordPress database and injected into rendered pages. When a shop administrator, customer, or other user loads the affected account page, the payload executes in their browser session. Exploitation requires an existing high-privilege account and does not require user interaction on the victim side beyond visiting the injected page. The vulnerability details are documented in the Wordfence Vulnerability Report and the WordPress Plugin Code Review.
No verified public exploit code is available. The vulnerability mechanism is described in prose per the referenced code review links.
Detection Methods for CVE-2026-15324
Indicators of Compromise
- Unexpected <script>, onerror, onload, or javascript: strings stored in WordPress options related to the customize-my-account-for-woocommerce plugin.
- Outbound HTTP requests from browser sessions of administrators or customers to unfamiliar external domains following visits to My Account pages.
- New or modified administrator accounts appearing after shop manager logins on sites running the vulnerable plugin.
- Anomalous JavaScript content rendered inside WooCommerce account navigation rows on the front end.
Detection Strategies
- Review the WordPress wp_options table for plugin settings containing HTML tags, event handlers, or encoded script payloads in row_type fields.
- Inspect the rendered HTML of /my-account/ pages for script content that does not originate from known plugin or theme sources.
- Correlate WordPress audit logs for shop manager account activity in the plugin settings interface with subsequent user session anomalies.
- Compare deployed plugin files against the fixed upstream release using the WordPress Plugin Changeset.
Monitoring Recommendations
- Enable WordPress activity logging for privilege changes, option updates, and plugin configuration events.
- Monitor web server access logs for POST requests to the plugin's admin endpoints from shop manager accounts.
- Alert on Content Security Policy (CSP) violations reported by browsers visiting WooCommerce account pages.
- Track file integrity for plugin directories under wp-content/plugins/customize-my-account-for-woocommerce/.
How to Mitigate CVE-2026-15324
Immediate Actions Required
- Update the SysBasics Customize My Account for WooCommerce plugin to a version later than 4.4.14 once a patched release is available.
- Audit all shop manager and administrator accounts and remove unused or unnecessary high-privilege users.
- Rotate credentials and invalidate active sessions for any account that had access to the plugin settings prior to remediation.
- Inspect stored plugin configuration for injected payloads and remove malicious entries from the database.
Patch Information
Refer to the WordPress Plugin Changeset for the upstream code changes. Site operators should install the fixed plugin version from the official WordPress plugin repository as soon as it is published. Verify the installed version through the WordPress admin plugins screen after upgrade.
Workarounds
- Deactivate the Customize My Account for WooCommerce plugin until a patched version can be installed.
- Restrict the shop manager role to trusted personnel and require multi-factor authentication for accounts holding that role.
- Deploy a web application firewall rule that blocks HTML and script metacharacters in requests targeting the plugin's admin settings endpoints.
- Apply a strict Content Security Policy that disallows inline script execution on WooCommerce account pages.
# Configuration example: disable the vulnerable plugin via WP-CLI
wp plugin deactivate customize-my-account-for-woocommerce
wp plugin update customize-my-account-for-woocommerce
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

