Skip to main content

Kit for WooCommerce CVE-2026-57753

| EUVDEUVD-2026-41309 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-07-02 Patchstack GHSA-q6f8-4vjv-w4qf
5.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible endpoint with no authentication barrier; limited confidentiality impact only, with no integrity or availability effect confirmed.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 12:30 vuln.today
CVE Published
Jul 02, 2026 - 11:15 cve.org
MEDIUM 5.3

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in Kit (formerly ConvertKit) for WooCommerce <= 2.1.5 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the Kit (formerly ConvertKit) for WooCommerce WordPress plugin versions 2.1.5 and below allows remote unauthenticated attackers to access sensitive information without any credentials or user interaction. The vulnerability is classified under CWE-497, indicating the plugin inadvertently surfaces system or application-level sensitive data to an unauthorized control sphere - likely including API keys, subscriber data, or configuration secrets tied to the Kit email marketing integration. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover WordPress site with Kit plugin installed
Exploit
Send unauthenticated HTTP request to vulnerable endpoint
Execution
Receive sensitive data in response
Impact
Exfiltrate data for downstream abuse

Vulnerability AssessmentAI

Exploitation The Kit (formerly ConvertKit) for WooCommerce plugin must be installed and activated on a WordPress site running WooCommerce, at version 2.1.5 or below. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N reflects a remotely exploitable, low-complexity, zero-auth flaw with limited confidentiality impact and no integrity or availability impact - consistent with an information disclosure issue rather than a code execution vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress e-commerce site running the Kit for WooCommerce plugin by passive enumeration (e.g., checking plugin directory listings or response headers). The attacker issues a direct HTTP GET request to the vulnerable plugin endpoint - requiring no session token, cookies, or credentials - and receives a response containing sensitive data such as API keys or customer information. …
Remediation The primary remediation is to update the Kit for WooCommerce plugin to a version above 2.1.5 via the WordPress plugin dashboard or WP-CLI. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57753 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy