Stored Cross-Site Scripting Vulnerability in WP Customer Area Plugin for WordPress
CVE-2026-7640
6.4MEDIUM
What is CVE-2026-7640?
The WP Customer Area plugin for WordPress has a vulnerability that allows for Stored Cross-Site Scripting (XSS) through the 'type' attribute in the customer-area-protected-content shortcode. This issue stems from inadequate input sanitization and output escaping of the shortcode attribute. As a result, authenticated attackers with Contributor-level access or higher can inject malicious web scripts into pages. These scripts will execute every time a user accesses the compromised page, potentially leading to data theft or unauthorized actions.
Affected Version(s)
WP Customer Area 0 <= 8.3.5