Reflected Cross-Site Scripting in Ultimate WooCommerce Auction Pro Plugin by WordPress
CVE-2026-4259

7.1HIGH

Key Information:

Vendor: WordPress
Status: Ultimate-WooCommerce-auction-pro
Vendor: CVE Published:; 22 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-4259?

The Ultimate WooCommerce Auction Pro plugin for WordPress before version 2.4.5 is vulnerable to reflected cross-site scripting (XSS). This vulnerability allows attackers to inject malicious scripts through unsanitized user input, specifically targeting the output displayed on the web page. As a result, high privilege users, including administrators, may be at risk of exposure to harmful content, which could lead to unauthorized actions and data compromises.

Affected Version(s)

ultimate-woocommerce-auction-pro 0 <= 2.4.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-4259 - Proof of Concept

References

https://wpscan.com/vulnerability/a98d234b-11e8-4a07-8593-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 22, 2026
👾
Exploit known to exist
Jun 22, 2026
Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Mar 16, 2026

Credit

Kacper Rybczyński

WPScan

CVE-2026-4259 Data

JSON