Security Alert Summary
The Germanized for WooCommerce plugin for WordPress contains a vulnerability that allows arbitrary shortcode execution via the ‘account_holder’ parameter in all versions up to and including 3.20.5. The issue permits unauthenticated attackers to trigger do_shortcode on unvalidated input, which can lead to unauthorized shortcode execution on affected sites.
CVE Details
- CVE ID: CVE-2026-2582
- Affected component: The Germanized for WooCommerce plugin for WordPress
- Affected versions: All versions up to, and including, 3.20.5
- Published: April 14, 2026 at 7:16:06 AM UTC
- Last modified: April 14, 2026 at 7:16:06 AM UTC
- CVSS v3.1: Base score 6.5, MEDIUM —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N - Authentication / privileges / user interaction: No privileges required (PR:N), no user interaction required (UI:N). Attack vector: network.
- Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
- Weakness (CWE): CWE-94 (Improper Control of Generation of Code)
Technical Details
The vulnerability exists because input supplied via the account_holder parameter is passed to do_shortcode without adequate validation or sanitization. Because do_shortcode executes registered shortcodes in WordPress, an attacker able to supply controlled content to this parameter can trigger arbitrary shortcode execution. The CVE description indicates this is possible for unauthenticated attackers and affects all versions listed above.
The practical effect is that shortcode handlers installed on a site could be invoked with attacker-supplied content. The impact is limited to the capabilities of the executed shortcodes and the data those shortcodes can access, consistent with the CVSS impact ratings (confidentiality and integrity impacts are assessed as low, availability as none).
How This Could Impact Your Website
Consider a small ecommerce site using Germanized for WooCommerce where the site owner manages overall settings, an internal staff member processes orders, and an external contractor helps with integrations. An unauthenticated attacker exploiting this weakness could cause existing shortcodes to run with attacker-controlled input. Possible practical consequences include limited disclosure of information accessible to shortcode handlers (for example, snippets that surface user or order data) and modification of content output generated by shortcodes.
This increases the risk of targeted phishing or social engineering if attacker-controlled output exposes or reinforces contact details for staff or contributors. The integrity of rendered content that relies on shortcodes could also be affected, though the CVSS rating indicates these impacts are low and does not imply full site takeover or disruption of availability.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level accounts and any other roles with content or shortcode access.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and limit the number of shortcodes available site-wide.
- Monitor site activity and logs for unusual behavior, including unexpected shortcode outputs or content changes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/woocommerce-germanized/tags/3.20.5/includes/gateways/direct-debit/class-wc-gzd-gateway-direct-debit.php#L214
- https://plugins.trac.wordpress.org/browser/woocommerce-germanized/tags/3.20.5/includes/gateways/direct-debit/class-wc-gzd-gateway-direct-debit.php#L982
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9e6837ad-576f-4c25-9540-6144ddc8630e?source=cve
