Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable auth bypass (CWE-288) discloses protected data with no integrity or availability impact, matching AV:N/AC:L/PR:N/UI:N and C:H only.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Authentication in Email Marketing for WooCommerce by Omnisend <= 1.18.0 versions.
AnalysisAI
Information disclosure in the Email Marketing for WooCommerce by Omnisend WordPress plugin versions 1.18.0 and earlier allows unauthenticated remote attackers to bypass authentication controls and access protected data. The flaw is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and carries CVSS 7.5 driven entirely by confidentiality impact. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Technical ContextAI
The vulnerability resides in the Omnisend plugin (CPE cpe:2.3:a:omnisend:email_marketing_for_woocommerce_by_omnisend), a WordPress extension that bridges WooCommerce stores with the Omnisend email marketing platform for newsletter, abandoned-cart, and customer segmentation flows. CWE-288 describes situations where a protected resource is reachable through an alternate code path that fails to enforce the authentication check applied on the primary path - commonly seen in WordPress plugins that expose REST API endpoints, AJAX actions (wp-admin/admin-ajax.php), or callback handlers without proper capability_check or nonce verification. The affected component is the plugin's connector logic (referenced by the Patchstack slug 'omnisend-connect'), which likely exposes one or more endpoints that disclose data without verifying caller identity.
RemediationAI
Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade the Omnisend plugin to the latest available release above 1.18.0 via the WordPress plugin dashboard and verify the installed version after update. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/omnisend-connect/vulnerability/wordpress-email-marketing-for-woocommerce-by-omnisend-plugin-1-18-0-broken-authentication-vulnerability for the vendor-confirmed fixed version. If immediate upgrade is not possible, compensating controls include deactivating the omnisend-connect plugin entirely (trade-off: loss of email marketing automation and abandoned-cart recovery), restricting access to the plugin's REST API and admin-ajax endpoints at the WAF or reverse-proxy layer by blocking unauthenticated requests to /wp-json/omnisend/* and admin-ajax.php actions prefixed with 'omnisend_' (trade-off: may break legitimate integration callbacks from Omnisend's SaaS backend), or placing the site behind an authenticated maintenance gate until patched.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36833
GHSA-7j8h-2p3w-mmhx