Skip to main content

WPPizza CVE-2026-40796

| EUVDEUVD-2026-36806 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-06-15 Patchstack GHSA-vmh5-x928-7v6f
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

PR:L reflects subscriber-role authentication prerequisite; C:H reflects full read access to other users' sensitive order and personal data; I:N and A:N because exploitation yields read-only data exposure with no write or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:05 vuln.today

DescriptionCVE.org

Subscriber Sensitive Data Exposure in WPPizza <= 3.19.9 versions.

AnalysisAI

Sensitive subscriber data exposure in the WPPizza WordPress plugin (versions ≤ 3.19.9) permits any authenticated user with a subscriber-level account to access protected data belonging to other users, such as customer order records or personal information managed by the plugin. The vulnerability stems from insufficient access control enforcement on data retrieval functionality (CWE-497), where low-privilege users are permitted to query sensitive system information outside their authorization scope. No public exploit code or confirmed active exploitation has been identified at time of analysis, though the low access complexity makes opportunistic exploitation realistic on sites permitting public user registration.

Technical ContextAI

WPPizza is a WordPress food ordering plugin developed by ollybach (CPE: cpe:2.3:a:ollybach:wppizza:*:*:*:*:*:*:*:*) that manages customer orders, menu items, and subscriber data within the WordPress ecosystem. CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) identifies the root cause as a failure to restrict access to privileged data from insufficiently privileged callers. In WordPress plugins, this class of flaw typically manifests as missing or improperly enforced capability checks on AJAX action handlers, REST API endpoints, or shortcode callbacks - allowing any authenticated user (even the lowest 'subscriber' role) to trigger data-retrieval operations that should be restricted to administrators or the data owner. The plugin's typical data scope includes customer names, addresses, phone numbers, and order histories, making this category of exposure particularly sensitive under data protection frameworks.

RemediationAI

The primary remediation is to update WPPizza to a version beyond 3.19.9 as soon as a patched release is published; no exact fixed version number is confirmed in the available intelligence, so administrators should monitor the official WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wppizza/vulnerability/wordpress-wppizza-plugin-3-19-9-sensitive-data-exposure-vulnerability for patch confirmation. As an immediate compensating control, disable public user registration on the WordPress site (wp-admin → Settings → General → uncheck 'Anyone can register') to eliminate the low-privilege account acquisition path required for exploitation - this is highly effective but prevents legitimate subscriber self-registration, which may be a business-critical feature for ordering workflows. If open registration must remain enabled, deploy a web application firewall rule to restrict access to WPPizza-specific AJAX endpoints (typically filtered by 'action=wppizza_*' in POST bodies to wp-admin/admin-ajax.php) to authenticated users whose roles match expected customer roles only. Audit existing subscriber accounts for unauthorized access if the plugin has been internet-exposed in its vulnerable state.

Share

CVE-2026-40796 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy