WordPress Plugin Vulnerabilities

Ultimate WooCommerce Auction Pro <= 2.4.5 - Reflected XSS via uwa_manage_auctions

Description

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Affects Plugins

Plugin icon
ultimate-woocommerce-auction-pro
No known fix

References

CVE
CVE-2026-4259

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Kacper Rybczyński
Submitter
Kacper Rybczyński
Submitter website
https://zabkagroup.com/
Verified
Yes
WPVDB ID
a98d234b-11e8-4a07-8593-982d656a4fd3

Timeline

Publicly Published
2026-06-01 (about 21 days ago)
Added
2026-06-01 (about 20 days ago)
Last Updated
2026-06-01 (about 20 days ago)

Other

Published
Title
Published
2025-02-03
Title
Survey Maker < 5.1.3.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2026-01-27
Title
TelSender < 1.14.15 - Unauthenticated Stored XSS via Telegram Chat Title
Published
2024-12-11
Title
Photo Gallery, Images, Slider in Rbs Image Gallery < 3.2.24 - Admin+ Stored XSS
Published
2021-08-26
Title
PostX Gutenberg Blocks Saved Templates Addon < 2.4.10 - Contributor+ Stored Cross-Site Scripting
Published
2025-07-16
Title
JetSearch < 3.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting