Skip to main content

Motive Commerce Search EUVDEUVD-2026-36829

| CVE-2026-42664 HIGH
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-vx3p-m937-p8h8
8.2
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
8.2 HIGH

Unauthenticated network-reachable WordPress plugin endpoint with missing authorization (PR:N, AV:N, AC:L); broken access control allows state changes (I:L) and service disruption (A:H) without data disclosure (C:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 21:59 vuln.today
CVE Published
Jun 15, 2026 - 20:18 cve.org
HIGH 8.2

DescriptionCVE.org

Unauthenticated Broken Access Control in AI Product Search for WooCommerce &#8211; Motive Commerce Search <= 1.38.2 versions.

AnalysisAI

Unauthenticated broken access control in the AI Product Search for WooCommerce - Motive Commerce Search WordPress plugin (versions <= 1.38.2) allows remote attackers to invoke privileged functionality without authentication, leading to data integrity tampering and significant availability impact on affected WooCommerce storefronts. Reported by Patchstack with no public exploit identified at time of analysis and no CISA KEV listing, the issue stems from missing authorization checks (CWE-862) on plugin endpoints reachable over the network with no user interaction.

Technical ContextAI

The vulnerability resides in the AI Product Search for WooCommerce plugin (also branded Motive Commerce Search), a WordPress extension that augments WooCommerce stores with AI-driven product search and recommendation features. The root cause is CWE-862 (Missing Authorization), meaning one or more plugin-exposed actions - typically WordPress AJAX handlers, REST routes, or admin-post endpoints - fail to verify the caller's capability or nonce before executing privileged operations. The CPE string cpe:2.3:a:motive_commerce_search:ai_product_search_for_woocommerce_&#8211;_motive_commerce_search:*:*:*:*:*:*:*:* indicates all versions through 1.38.2 of this single plugin are in scope; no WordPress core or WooCommerce core code is implicated.

RemediationAI

Upgrade the AI Product Search for WooCommerce - Motive Commerce Search plugin to a version later than 1.38.2 as soon as the vendor publishes a fixed release; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/motive-commerce-search/vulnerability/wordpress-ai-product-search-for-woocommerce-motive-commerce-search-plugin-1-38-2-broken-access-control-vulnerability for the exact patched version, as a specific fix version is not provided in the available input data - patch availability per vendor advisory is therefore noted but not independently confirmed. As compensating controls until patching, deactivate the Motive Commerce Search plugin (which removes the AI search feature from the storefront and may degrade product discoverability), or place WAF rules in front of WordPress to block unauthenticated requests to the plugin's AJAX (admin-ajax.php with the plugin's action parameter) and REST routes (typically /wp-json/<plugin-namespace>/*), accepting that overly broad rules can break legitimate frontend search functionality. Restricting /wp-admin/admin-ajax.php and /wp-json/ access by source IP where feasible is an additional layer, but is impractical for public storefronts.

Share

EUVD-2026-36829 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy