PT-2026-1612 · WordPress+1 · Email Customizer For Woocommerce+1
Andrii Kaspir
·
Published
2026-01-07
·
Updated
2026-01-07
·
CVE-2025-13974
CVSS v3.1
4.4
Medium
| Vector | AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The Email Customizer for WooCommerce versions up to and including 2.6.7
Description
The Email Customizer for WooCommerce plugin for WordPress is susceptible to Stored Cross-Site Scripting through email template content. Insufficient input sanitization and output escaping allow authenticated attackers with administrator-level access to inject arbitrary web scripts into email templates. These scripts will execute when customers view transactional emails. This issue only impacts multi-site installations and those where unfiltered html has been disabled.
Recommendations
Update The Email Customizer for WooCommerce plugin to a version later than 2.6.7.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Email Customizer For Woocommerce
Woocommerce