Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects StoreCustomizer: from n/a through <= 2.6.3.
AnalysisAI
Kaira StoreCustomizer woocustomizer versions 2.6.3 and earlier contain a missing authorization flaw that allows authenticated users to modify store customization settings they should not have access to. An attacker with low-level user privileges can exploit this misconfigured access control to make unauthorized changes to the store's appearance and configuration. No patch is currently available for this vulnerability.
Technical ContextAI
The vulnerability resides in the Kaira StoreCustomizer plugin (identified via CPE cpe:2.3:a:kaira:storecustomizer:*:*:*:*:*:*:*:*), a WordPress plugin designed for store customization. The root cause is classified under CWE-862: Missing Authorization, which indicates that the plugin fails to perform proper authorization checks before executing sensitive operations. This typically occurs when WordPress nonces, capability checks (is_user_logged_in(), current_user_can()), or role-based access control mechanisms are either absent or incorrectly implemented in plugin functions. The affected plugin versions through 2.6.3 contain one or more unprotected functions callable by unauthenticated users or users with insufficient privileges, allowing direct exploitation of store customization features without proper permission validation.
RemediationAI
Immediately upgrade the Kaira StoreCustomizer plugin to a patched version beyond 2.6.3 (check the official plugin repository or vendor advisory for the specific patched release). WordPress site administrators should navigate to the Plugins dashboard, locate StoreCustomizer, and apply the available update. Until a patch is available or applied, consider disabling the StoreCustomizer plugin entirely if it is not actively required for critical store operations. As a temporary mitigation, restrict access to the plugin's admin pages using WordPress capability restrictions and security plugins that enforce stricter role-based access controls; however, this is not a substitute for patching. Organizations using this plugin should also audit recent store configuration changes and review access logs for unauthorized modifications. Consult Patchstack's vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/woocustomizer/ for updates on patch availability and detailed remediation guidance.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15761
GHSA-q7x3-fpgx-9pgg