CVE-2026-15324 in Customize My Account for WooCommerce Plugin
Summary
by MITRE • 07/16/2026
The SysBasics Customize My Account for WooCommerce – Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'row_type' parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability identified in the SysBasics Customize My Account for WooCommerce plugin represents a critical stored cross-site scripting flaw that undermines the security integrity of WordPress e-commerce installations. This weakness exists within version 4.4.14 and all preceding releases, creating a persistent threat vector that can be exploited by authenticated attackers who possess shop manager privileges or higher access levels. The vulnerability stems from inadequate input validation mechanisms that fail to properly sanitize user-supplied data before it is processed and stored within the system's database.
The technical exploitation occurs through manipulation of the 'row_type' parameter, which serves as an entry point for malicious script injection. When administrators or authorized users interact with the plugin's customization interface, the insufficient input sanitization allows attackers to embed malicious JavaScript code that gets stored in the database. This stored content persists until manually removed, making it particularly dangerous as it can affect any user who accesses pages containing the injected scripts. The vulnerability specifically lacks proper output escaping mechanisms that would normally prevent malicious code from executing when rendered in web browsers.
The operational impact of this vulnerability extends beyond simple script execution, creating potential pathways for more sophisticated attacks including session hijacking, credential theft, and data exfiltration. Attackers could leverage this weakness to inject malicious scripts that redirect users to phishing sites, steal authentication cookies, or perform unauthorized transactions within the compromised WooCommerce environment. The stored nature of the vulnerability means that once exploited, the malicious code remains active until manually removed from the database, potentially affecting multiple users over extended periods and creating a sustained threat to system security.
This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and maps directly to ATT&CK technique T1566.002 which covers phishing with malicious attachments and links. The attack surface is particularly concerning given that it requires only shop manager-level privileges, which are commonly granted to trusted employees or contractors within e-commerce environments. Organizations should implement immediate mitigations including plugin updates to versions that address the sanitization issues, enhanced access controls limiting administrative privileges, and regular security auditing of custom plugin configurations. Additionally, implementing content security policies and monitoring for unusual script injection patterns can provide additional defensive layers against exploitation attempts.