Stored Cross-Site Scripting Vulnerability in WP Customer Area Plugin for WordPress
CVE-2026-7640

6.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
14 July 2026

What is CVE-2026-7640?

The WP Customer Area plugin for WordPress has a vulnerability that allows for Stored Cross-Site Scripting (XSS) through the 'type' attribute in the customer-area-protected-content shortcode. This issue stems from inadequate input sanitization and output escaping of the shortcode attribute. As a result, authenticated attackers with Contributor-level access or higher can inject malicious web scripts into pages. These scripts will execute every time a user accesses the compromised page, potentially leading to data theft or unauthorized actions.

Affected Version(s)

WP Customer Area 0 <= 8.3.5

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

zaim
.