Skip to main content

Product Configurator for WooCommerce CVE-2026-11568

| EUVDEUVD-2026-40916 HIGH
2026-07-01 WPScan GHSA-x525-xmpm-prq9
7.5
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Remote unauthenticated, low complexity (AV:N/AC:L/PR:N/UI:N), but confidentiality impact is limited to a bounded set of product fields, so C:L not C:H; no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 01, 2026 - 11:22 vuln.today
CVSS changed
Jul 01, 2026 - 11:22 NVD
7.5 (HIGH)
Patch available
Jul 01, 2026 - 08:01 EUVD
CVE Published
Jul 01, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 01, 2026 - 06:00 cve.org
HIGH 7.5

DescriptionCVE.org

The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data (title, price, weight, stock status, and configurator option pricing/SKUs) of private and draft, non-public products by supplying the product ID. WordPress post-visibility controls are bypassed.

AnalysisAI

Unauthenticated information disclosure in the Product Configurator for WooCommerce WordPress plugin (versions before 1.7.3) exposes sensitive product data through a public AJAX action that skips authorization and post-status checks. By supplying only a product ID, remote unauthenticated users can read titles, prices, weights, stock status, and configurator option pricing/SKUs of private and draft products, bypassing WordPress post-visibility controls. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WooCommerce store with plugin
Delivery
Enumerate candidate product IDs
Exploit
Call public AJAX action unauthenticated
Execution
Bypass post-visibility check
Impact
Exfiltrate private/draft product data

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the vulnerable plugin (before 1.7.3) is installed and active on a WooCommerce store, and that the attacker supplies a product ID to the plugin's public (nopriv) AJAX action - no authentication, user interaction, or non-default configuration is needed, matching AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) reflects a network-reachable, low-complexity, unauthenticated flaw with confidentiality-only impact and no integrity or availability effect - consistent with an information-disclosure bug rather than code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker scripts requests to the plugin's public AJAX action, iterating product IDs to enumerate products the store intended to keep private or in draft. Because publicly available exploit code exists and the CVSS vector is AV:N/AC:L/PR:N/UI:N (no auth, no user interaction, low complexity), the attacker can harvest unreleased pricing, upcoming SKUs, and stock levels at scale from a competitor's or victim's store with a simple loop.
Remediation Vendor-released patch: 1.7.3 - upgrade the Product Configurator for WooCommerce plugin to version 1.7.3 or later, which is the primary and recommended fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress sites running Product Configurator for WooCommerce plugin versions prior to 1.7.3. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11568 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy