Skip to main content

PPOM for WooCommerce CVE-2026-56050

| EUVDEUVD-2026-39398 MEDIUM
Improper Access Control (CWE-284)
2026-06-25 Patchstack GHSA-qp5v-h8qw-wpmh
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Unauthenticated network-accessible endpoint with no complexity; scope unchanged; only limited integrity and availability impact confirmed, no confidentiality exposure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 25, 2026 - 14:38 vuln.today
CVE Published
Jun 25, 2026 - 13:34 cve.org
MEDIUM 6.5

DescriptionCVE.org

Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects PPOM for WooCommerce: from n/a through 33.0.18.

AnalysisAI

Improper access control in PPOM for WooCommerce (all versions through 33.0.18) enables unauthenticated remote attackers to bypass access controls and perform unauthorized operations affecting the integrity and availability of affected WooCommerce stores. Classified under CWE-284 and confirmed as an authentication bypass by Patchstack, the flaw exposes plugin-managed product option data to manipulation or disruption without requiring any credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-facing WooCommerce store
Delivery
Confirm PPOM plugin version ≤33.0.18
Exploit
Send unauthenticated HTTP request to vulnerable endpoint
Execution
Bypass missing capability check
Impact
Modify product option data or disrupt plugin function

Vulnerability AssessmentAI

Exploitation The target WordPress site must have the PPOM for WooCommerce plugin installed, activated, and running version 33.0.18 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L indicates a medium-severity, remotely exploitable issue requiring no authentication or user interaction, with low attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WooCommerce store running an affected PPOM plugin version and sends a crafted HTTP request to the vulnerable AJAX or REST endpoint that lacks proper capability checks, bypassing access control to modify product option configurations or trigger unintended plugin operations. Because AC:L and PR:N, no credential theft or complex setup is required - a direct HTTP request to the exposed endpoint is sufficient. …
Remediation The primary remediation is to update PPOM for WooCommerce to the version released after 33.0.18; the exact patched version number is not independently confirmed in the available intelligence, so the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woocommerce-product-addon/vulnerability/wordpress-ppom-for-woocommerce-plugin-33-0-18-broken-access-control-vulnerability should be consulted directly for the confirmed fix version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy