CVE-2026-2582 MEDIUM

CVE-2026-2582: Germanized for WooCommerce <= 3.20.5 - Unauthenticated Arbitrary Shortcode Execution

Vendor Vendidero

Product Germanized for WooCommerce

Weakness CWE-94 · Code injection

Published April 14, 2026

Last update April 14, 2026

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

Description

The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Key dates

Disclosure timeline

April 14, 2026 CVE published

April 14, 2026 Record updated