CVE-2026-4259
Deferred Deferred - Pending Action

Reflected XSS in Ultimate WooCommerce Auction Pro WordPress Plugin

Vulnerability report for CVE-2026-4259, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: WPScan

Description

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-07-12
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
woocommerce ultimate-woocommerce-auction-pro to 2.4.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include restricting access to the affected plugin's functionality to trusted users only, such as administrators, to reduce the risk of exploitation.

Disable or remove the Ultimate WooCommerce Auction Pro plugin if it is not essential until a patch or update is released.

Implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'uwa_manage_auctions' parameter.

Monitor and audit logs for suspicious requests containing script tags or unusual input in the 'uwa_manage_auctions' parameter.

Executive Summary

The Ultimate WooCommerce Auction Pro WordPress plugin, up to version 2.4.5, contains a Reflected Cross-Site Scripting (XSS) vulnerability. This happens because the plugin does not properly sanitize and escape a parameter called "uwa_manage_auctions" before displaying it back on the web page. As a result, an attacker can inject malicious scripts into the page.

This vulnerability can be exploited to target users with high privileges, such as administrators, potentially allowing attackers to execute harmful actions within the context of the affected website.

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the browsers of high-privilege users like administrators. This can lead to unauthorized actions such as stealing session cookies, defacing the website, or performing administrative tasks without permission.

Detection Guidance

This vulnerability can be detected by testing the 'uwa_manage_auctions' parameter in the Ultimate WooCommerce Auction Pro plugin for reflected Cross-Site Scripting (XSS). You can attempt to inject a simple script payload into this parameter and observe if it is reflected unsanitized in the web page output.

  • Use a web proxy tool like Burp Suite or OWASP ZAP to intercept requests to the plugin and modify the 'uwa_manage_auctions' parameter with a test payload such as <script>alert(1)</script>.
  • Run a curl command to test the parameter, for example: curl -G 'http://yourwordpresssite.com/path-to-plugin' --data-urlencode 'uwa_manage_auctions=<script>alert(1)</script>' and check the response for the reflected script.
  • Use automated scanners that support XSS detection targeting this parameter.
Compliance Impact

The vulnerability in the Ultimate WooCommerce Auction Pro plugin allows for Reflected Cross-Site Scripting (XSS) attacks, which can be exploited to execute malicious scripts in the context of high-privilege users such as administrators.

Such vulnerabilities can lead to unauthorized access or manipulation of sensitive data, potentially resulting in breaches of confidentiality and integrity.

This can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4259. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart