CVE-2026-4259 PUBLISHED

Ultimate WooCommerce Auction Pro <= 2.4.5 - Reflected XSS via uwa_manage_auctions

Assigner: WPScan
Reserved: 16.03.2026 Published: 22.06.2026 Updated: 22.06.2026

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Product Status

Vendor	Unknown
Product	ultimate-woocommerce-auction-pro
Versions	Default: unknown affected from 0 to 2.4.5 (incl.)

Credits

Kacper Rybczyński finder
WPScan coordinator

References

https://wpscan.com/vulnerability/a98d234b-11e8-4a07-8593-982d656a4fd3/

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE