Skip to main content

Storecustomizer EUVDEUVD-2026-15761

| CVE-2026-27046 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-q7x3-fpgx-9pgg
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15761
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects StoreCustomizer: from n/a through <= 2.6.3.

AnalysisAI

Kaira StoreCustomizer woocustomizer versions 2.6.3 and earlier contain a missing authorization flaw that allows authenticated users to modify store customization settings they should not have access to. An attacker with low-level user privileges can exploit this misconfigured access control to make unauthorized changes to the store's appearance and configuration. No patch is currently available for this vulnerability.

Technical ContextAI

The vulnerability resides in the Kaira StoreCustomizer plugin (identified via CPE cpe:2.3:a:kaira:storecustomizer:*:*:*:*:*:*:*:*), a WordPress plugin designed for store customization. The root cause is classified under CWE-862: Missing Authorization, which indicates that the plugin fails to perform proper authorization checks before executing sensitive operations. This typically occurs when WordPress nonces, capability checks (is_user_logged_in(), current_user_can()), or role-based access control mechanisms are either absent or incorrectly implemented in plugin functions. The affected plugin versions through 2.6.3 contain one or more unprotected functions callable by unauthenticated users or users with insufficient privileges, allowing direct exploitation of store customization features without proper permission validation.

RemediationAI

Immediately upgrade the Kaira StoreCustomizer plugin to a patched version beyond 2.6.3 (check the official plugin repository or vendor advisory for the specific patched release). WordPress site administrators should navigate to the Plugins dashboard, locate StoreCustomizer, and apply the available update. Until a patch is available or applied, consider disabling the StoreCustomizer plugin entirely if it is not actively required for critical store operations. As a temporary mitigation, restrict access to the plugin's admin pages using WordPress capability restrictions and security plugins that enforce stricter role-based access controls; however, this is not a substitute for patching. Organizations using this plugin should also audit recent store configuration changes and review access logs for unauthorized modifications. Consult Patchstack's vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/woocustomizer/ for updates on patch availability and detailed remediation guidance.

Share

EUVD-2026-15761 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy