CVE Catalog

CVE-2026-4259

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

4th percentile - higher than 4% of all known CVEs

Summary

The ultimate-woocommerce-auction-pro WordPress plugin through version 2.4.5 does not sanitize and escape a parameter before outputting it back on the page, leading to a reflected Cross-Site Scripting vulnerability. This can be exploited against high privilege users such as admins.

Risk Assessment

Exploitation of this vulnerability could lead to admin account takeover and allow attackers to execute malicious code in the victim's browser context, posing a serious security threat to the organization.

Recommendation

It is recommended to update the plugin to the latest version that includes security fixes and to conduct a security audit of the application to identify and mitigate potential threats.

Original NVD description (English source)

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Vulnerability data from NVD (NIST) · CISA KEV · EPSS