Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Unauthenticated network-reachable WordPress plugin endpoint with missing authorization (PR:N, AV:N, AC:L); broken access control allows state changes (I:L) and service disruption (A:H) without data disclosure (C:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions.
AnalysisAI
Unauthenticated broken access control in the AI Product Search for WooCommerce - Motive Commerce Search WordPress plugin (versions <= 1.38.2) allows remote attackers to invoke privileged functionality without authentication, leading to data integrity tampering and significant availability impact on affected WooCommerce storefronts. Reported by Patchstack with no public exploit identified at time of analysis and no CISA KEV listing, the issue stems from missing authorization checks (CWE-862) on plugin endpoints reachable over the network with no user interaction.
Technical ContextAI
The vulnerability resides in the AI Product Search for WooCommerce plugin (also branded Motive Commerce Search), a WordPress extension that augments WooCommerce stores with AI-driven product search and recommendation features. The root cause is CWE-862 (Missing Authorization), meaning one or more plugin-exposed actions - typically WordPress AJAX handlers, REST routes, or admin-post endpoints - fail to verify the caller's capability or nonce before executing privileged operations. The CPE string cpe:2.3:a:motive_commerce_search:ai_product_search_for_woocommerce_–_motive_commerce_search:*:*:*:*:*:*:*:* indicates all versions through 1.38.2 of this single plugin are in scope; no WordPress core or WooCommerce core code is implicated.
RemediationAI
Upgrade the AI Product Search for WooCommerce - Motive Commerce Search plugin to a version later than 1.38.2 as soon as the vendor publishes a fixed release; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/motive-commerce-search/vulnerability/wordpress-ai-product-search-for-woocommerce-motive-commerce-search-plugin-1-38-2-broken-access-control-vulnerability for the exact patched version, as a specific fix version is not provided in the available input data - patch availability per vendor advisory is therefore noted but not independently confirmed. As compensating controls until patching, deactivate the Motive Commerce Search plugin (which removes the AI search feature from the storefront and may degrade product discoverability), or place WAF rules in front of WordPress to block unauthenticated requests to the plugin's AJAX (admin-ajax.php with the plugin's action parameter) and REST routes (typically /wp-json/<plugin-namespace>/*), accepting that overly broad rules can break legitimate frontend search functionality. Restricting /wp-admin/admin-ajax.php and /wp-json/ access by source IP where feasible is an additional layer, but is impractical for public storefronts.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36829
GHSA-vx3p-m937-p8h8