CVE-2026-57358
Deferred Deferred - Pending Action

Unauthenticated XSS in Customize My Account for WooCommerce

Vulnerability report for CVE-2026-57358, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Patchstack

Description

Unauthenticated Cross Site Scripting (XSS) in Customize My Account for WooCommerce <= 4.3.9 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack customize_my_account_for_woocommerce to 4.3.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress Customize My Account for WooCommerce Plugin, versions 4.3.9 and earlier, is vulnerable to an unauthenticated Cross Site Scripting (XSS) attack.

This vulnerability allows attackers to inject malicious scripts, such as redirects or advertisements, which execute when visitors access the site.

Exploitation requires a privileged user to perform an action like clicking a malicious link or submitting a form.

The vulnerability has a CVSS severity score of 7.1, indicating it is moderately dangerous and could be exploited in mass campaigns targeting thousands of websites.

Impact Analysis

Successful exploitation of this vulnerability can lead to the execution of malicious scripts on your website.

  • Attackers can inject redirects that send visitors to malicious or unwanted sites.
  • Attackers can display unwanted advertisements or other malicious content.

This can harm your website's reputation, compromise user trust, and potentially lead to further security issues.

Detection Guidance

This vulnerability involves Cross Site Scripting (XSS) in the Customize My Account for WooCommerce plugin versions 4.3.9 and earlier. Detection typically involves monitoring for suspicious or unexpected script injections in web requests or responses related to the plugin's functionality.

While no specific commands are provided in the available resources, general detection methods include inspecting HTTP requests and responses for injected scripts using tools like curl, wget, or browser developer tools, and scanning web server logs for unusual input patterns.

Additionally, applying the mitigation rule issued by Patchstack can help block attacks until the plugin is updated.

Mitigation Strategies

The immediate recommended step is to update the Customize My Account for WooCommerce plugin to version 4.3.10 or later, which contains the patch for this vulnerability.

Until the update can be applied, users should implement the mitigation rule issued by Patchstack to block attacks targeting this vulnerability.

Additionally, monitoring for suspicious activity and restricting privileged user actions that could trigger the vulnerability can help reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57358. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart