Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-accessible, zero-auth exposure (PR:N, AV:N); limited partial confidentiality loss only; no integrity or availability impact confirmed by description.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in WCBoost – Products Compare <= 1.1.0 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the WCBoost - Products Compare WordPress plugin (versions <= 1.1.0) allows any remote attacker to access sensitive information without credentials. The CVSS vector confirms network-accessible exploitation requiring no authentication, no user interaction, and low complexity, yielding a partial confidentiality breach. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against any WordPress installation running WCBoost - Products Compare version 1.1.0 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 (Medium) reflects limited but real-world impact: AV:N confirms the vulnerability is exploitable over the network; AC:L and PR:N/UI:N confirm no barriers to exploitation beyond knowing the site runs this plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker enumerates WordPress sites running the WCBoost - Products Compare plugin (e.g., via public scanner or Google dorking for plugin-specific assets), then sends a crafted HTTP request to the vulnerable endpoint - likely a WordPress AJAX handler or REST API route - and receives sensitive data in the response. No public exploit code has been identified at time of analysis, but the low complexity and zero authentication requirement make manual exploitation straightforward for any attacker familiar with WordPress plugin vulnerability patterns. |
| Remediation | The primary remediation is to update the WCBoost - Products Compare plugin to a version above 1.1.0 via the WordPress admin dashboard or WP-CLI. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39749
GHSA-9cp8-fxmh-4hc3