CVE-2026-4259 | The ultimate-woocommerce-auction-pro WordPress plugin throug… | CVSS 7.1 HIGH

Description

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Metadata

CVE ID: CVE-2026-4259
State: PUBLISHED
Assigner: WPScan
Reserved: 2026-03-16 10:30 UTC
Published: 2026-06-22 06:00 UTC
Last updated: 2026-06-22 12:55 UTC
Primary CWE: CWE-79
CWE-79 Improper Neutralization of Input During Web Page Gene…
Vendor / Product: Unknown / ultimate-woocommerce-auction-pro
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Unknown	ultimate-woocommerce-auction-pro	—	0 ≤ 2.4.5

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-79 Cross-Site Scripting (XSS)
CWE-79	adp	CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.1	HIGH	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References (1)

https://wpscan.com/vulnerability/a98d234b-11e8-4a07-8593-982d656a4fd3/