CVE-2026-2582

6.5 MEDIUM

Published: April 14, 2026 Modified: April 14, 2026

Description

The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://plugins.trac.wordpress.org/browser/woocommerce-germanized/tags/3.20.5/includes/gateways/direct-debit/class-wc-gzd-gateway-direct-debit.php#L214

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/woocommerce-germanized/tags/3.20.5/includes/gateways/direct-debit/class-wc-gzd-gateway-direct-debit.php#L982

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/9e6837ad-576f-4c25-9540-6144ddc8630e?source=cve

Source: security@wordfence.com

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

6.5 / 10.0

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-94

Related CVEs

CVE-2026-5307 N/A

CVE-2026-2450 N/A

CVE-2024-9168 N/A

CVE-2026-2449 N/A

CVE-2026-2332 7.4