EUVD-2026-37859

🗓️ 18 Jun 2026 06:50:04Reported by EUVDType

Stored cross site scripting in Customize My Account for Woocommerce via sysbasics_user_avatar up to version 4.3.6; requires Contributor access.

Reporter	Title	Published	Views	Family All 5
CVE	CVE-2026-12136	18 Jun 202606:50	–	cve
Cvelist	CVE-2026-12136 SysBasics Customize My Account for WooCommerce <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	18 Jun 202606:50	–	cvelist
NVD	CVE-2026-12136	18 Jun 202608:16	–	nvd
Patchstack	WordPress SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability	17 Jun 202617:37	–	patchstack
Positive Technologies	PT-2026-50639	18 Jun 202600:00	–	ptsecurity

[
  {
    "enisaIdVendor": [
      {
        "id": "6299f29a-4e34-31c4-a942-c1993a3e0448",
        "vendor": {
          "name": "phppoet"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "1218e652-1dd4-38a9-9ed0-9bb7de90fc56",
        "product": {
          "name": "SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager",
          "vendor": {
            "name": "phppoet"
          }
        },
        "product_version": "0 ≤4.3.6"
      }
    ]
  }
]

Source	Link
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/44d041ca-caa6-410d-b2d1-7a63208cc512
plugins	www.plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.3.6/include/wcmamtx_extra_functions.php
plugins	www.plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.3.6/include/sysbasics-avatar-upload.php
plugins	www.plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.3.6/include/sysbasics-avatar-upload.php
plugins	www.plugins.trac.wordpress.org/changeset

18 Jun 2026 06:50Current

5.5Medium risk

Vulners AI Score5.5

CVSS 3.16.4