Skip to main content

Omnisend WooCommerce Plugin EUVDEUVD-2026-36833

| CVE-2026-42668 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-15 Patchstack GHSA-7j8h-2p3w-mmhx
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable auth bypass (CWE-288) discloses protected data with no integrity or availability impact, matching AV:N/AC:L/PR:N/UI:N and C:H only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 21:57 vuln.today
CVE Published
Jun 15, 2026 - 20:18 cve.org
HIGH 7.5

DescriptionCVE.org

Unauthenticated Broken Authentication in Email Marketing for WooCommerce by Omnisend <= 1.18.0 versions.

AnalysisAI

Information disclosure in the Email Marketing for WooCommerce by Omnisend WordPress plugin versions 1.18.0 and earlier allows unauthenticated remote attackers to bypass authentication controls and access protected data. The flaw is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and carries CVSS 7.5 driven entirely by confidentiality impact. No public exploit identified at time of analysis, and the issue is not on CISA KEV.

Technical ContextAI

The vulnerability resides in the Omnisend plugin (CPE cpe:2.3:a:omnisend:email_marketing_for_woocommerce_by_omnisend), a WordPress extension that bridges WooCommerce stores with the Omnisend email marketing platform for newsletter, abandoned-cart, and customer segmentation flows. CWE-288 describes situations where a protected resource is reachable through an alternate code path that fails to enforce the authentication check applied on the primary path - commonly seen in WordPress plugins that expose REST API endpoints, AJAX actions (wp-admin/admin-ajax.php), or callback handlers without proper capability_check or nonce verification. The affected component is the plugin's connector logic (referenced by the Patchstack slug 'omnisend-connect'), which likely exposes one or more endpoints that disclose data without verifying caller identity.

RemediationAI

Upstream fix available per Patchstack advisory; released patched version not independently confirmed from the provided data, so administrators should upgrade the Omnisend plugin to the latest available release above 1.18.0 via the WordPress plugin dashboard and verify the installed version after update. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/omnisend-connect/vulnerability/wordpress-email-marketing-for-woocommerce-by-omnisend-plugin-1-18-0-broken-authentication-vulnerability for the vendor-confirmed fixed version. If immediate upgrade is not possible, compensating controls include deactivating the omnisend-connect plugin entirely (trade-off: loss of email marketing automation and abandoned-cart recovery), restricting access to the plugin's REST API and admin-ajax endpoints at the WAF or reverse-proxy layer by blocking unauthenticated requests to /wp-json/omnisend/* and admin-ajax.php actions prefixed with 'omnisend_' (trade-off: may break legitimate integration callbacks from Omnisend's SaaS backend), or placing the site behind an authenticated maintenance gate until patched.

Share

EUVD-2026-36833 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy