Germanized for WooCommerce < 3.20.6 – Unauthenticated Arbitrary Shortcode Execution | CVE 2026-2582 | Plugin Vulnerabilities

Description

The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

woocommerce-germanized

Fixed in 3.20.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9e6837ad-576f-4c25-9540-6144ddc8630e

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Chiao-Lin Yu (Steven Meow)

Verified

No

WPVDB ID

abd58bf8-b592-459a-b253-1decd613347c

Timeline

Publicly Published

2026-04-13 (about 1 month ago)

Added

2026-04-13 (about 1 month ago)

Last Updated

2026-04-14 (about 1 month ago)

Other

Published

Title

Published

2018-08-26

Title

Plainview Activity Monitor < 20180826 - Remote Command Execution (RCE)

Published

2022-04-12

Title

Multiple Plugins from Cool Plugins - Subscriber+ Arbitrary Plugin Installation & Activation

Published

2023-11-21

Title

WP All Export (Free < 1.4.0, Pro < 1.8.6) - Admin+ RCE

Published

2026-04-21

Title

FunnelFormsPro <= 3.8.1 - Authenticated (Subscriber+) Remote Code Execution

Published

2024-05-15

Title

Advanced Custom Fields Pro < 6.2.10 - Contributor+ Code Injection