CVE-2026-2582

MEDIUM

Germanized for WooCommerce <= 3.20.5 - Unauthenticated Arbitrary Shortcode Execution

Title source: cna

Description

The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

References (3)

Scores

CVSS v3 6.5
EPSS 0.0011
EPSS Percentile 29.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-94
Status published
Products (1)
vendidero/Germanized for WooCommerce < 3.20.5
Published Apr 14, 2026
Tracked Since Apr 14, 2026