Home

Description

The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

PUBLISHED Reserved 2026-02-16 | Published 2026-04-14 | Updated 2026-04-14 | Assigner Wordfence




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

Any version
affected

Timeline

2026-02-07:Discovered
2026-03-30:Vendor Notified
2026-04-13:Disclosed

Credits

Chiao-Lin Yu finder

References

www.wordfence.com/...-576f-4c25-9540-6144ddc8630e?source=cve

plugins.trac.wordpress.org/...c-gzd-gateway-direct-debit.php

plugins.trac.wordpress.org/...c-gzd-gateway-direct-debit.php

cve.org (CVE-2026-2582)

nvd.nist.gov (CVE-2026-2582)

Download JSON