Skip to main content

Extra Product Options CVE-2026-57390

| EUVDEUVD-2026-43463 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable plugin endpoint, no auth required per missing authorization flaw, scope unchanged, no confidentiality loss, limited integrity and availability impact only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:28 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in EDGARROJAS Extra Product Options Builder for WooCommerce additional-product-fields-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Extra Product Options Builder for WooCommerce: from n/a through <= 1.2.167.

AnalysisAI

Missing authorization in the Extra Product Options Builder for WooCommerce plugin (versions through 1.2.167) permits remote unauthenticated attackers to perform restricted actions without valid credentials, impacting both data integrity and service availability on affected WordPress storefronts. The flaw stems from CWE-862 - the plugin exposes endpoints or AJAX actions that fail to verify whether the caller holds the necessary capability or role before executing sensitive operations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with plugin
Delivery
Send unauthenticated HTTP POST to AJAX endpoint
Exploit
Bypass missing authorization check
Execution
Modify or delete product option data
Impact
Disrupt storefront order integrity

Vulnerability AssessmentAI

Exploitation No special exploitation conditions are required beyond the plugin being installed and active on a WordPress/WooCommerce site: the CVSS vector AV:N/AC:L/PR:N/UI:N confirms remote, unauthenticated, low-complexity exploitation against any default deployment of the plugin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.5 (Medium) reflects a network-accessible, zero-complexity, unauthenticated vector (AV:N/AC:L/PR:N/UI:N), with limited but real integrity and availability impacts (I:L/A:L) and no confidentiality loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress storefront running the vulnerable plugin version by inspecting page source or probing known WooCommerce plugin fingerprints. The attacker sends a crafted HTTP POST request to the site's AJAX endpoint targeting a plugin action that lacks authorization checks, successfully manipulating product option configurations or disrupting their availability - for example, altering pricing fields or removing required option sets from product listings - without ever authenticating to the WordPress site.
Remediation The primary fix is to update the Extra Product Options Builder for WooCommerce plugin to any version released after 1.2.167; however, no exact patched version number is confirmed in the available input data - administrators should consult the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/additional-product-fields-for-woocommerce/vulnerability/wordpress-extra-product-options-builder-for-woocommerce-plugin-1-2-167-broken-access-control-vulnerability for the confirmed fixed release before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy