Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated network-reachable WordPress plugin endpoint with missing authorization enables data tampering only, so PR:N, AC:L, and I:H with C:N/A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce <= 8.5.3 versions.
AnalysisAI
Unauthorized data tampering in the WPC Product Bundles for WooCommerce WordPress plugin (versions 8.5.3 and earlier) allows remote attackers to manipulate plugin state without authentication due to missing authorization checks. Reported by Patchstack, the flaw carries a CVSS 7.5 reflecting high integrity impact with no confidentiality or availability impact, and no public exploit identified at time of analysis.
Technical ContextAI
The vulnerability lives in WPC Product Bundles for WooCommerce, a WordPress plugin by WPClever (CPE cpe:2.3:a:wpclever:wpc_product_bundles_for_woocommerce) that enables WooCommerce store owners to sell grouped product bundles. The root cause is CWE-862 (Missing Authorization), a class of bug where a code path that mutates state is reachable without verifying that the caller is permitted to perform the action - in WordPress plugins this typically manifests as AJAX or admin-post handlers lacking capability checks (current_user_can) and/or nonce verification, or REST routes with a permissive permission_callback. Because WooCommerce front-ends are publicly reachable, any such gap is directly exposed to the internet.
RemediationAI
Upgrade WPC Product Bundles for WooCommerce to a release later than 8.5.3 once the vendor publishes a fixed version; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woo-product-bundle/vulnerability/wordpress-wpc-product-bundles-for-woocommerce-plugin-8-5-3-broken-access-control-vulnerability for the exact fixed version, as no patched release number was supplied in the input. Until then, virtual-patch the vulnerable endpoints via a WAF such as Patchstack, Wordfence, or ModSecurity to block unauthenticated requests to the plugin's AJAX/admin-post/REST handlers, or temporarily deactivate the plugin if bundle functionality is not business-critical (trade-off: bundle products will become unavailable on the storefront). Restricting access to /wp-admin/admin-ajax.php and the plugin's REST namespace from unauthenticated sources is an additional compensating control, but it can break legitimate front-end AJAX flows and should be tested before enforcement.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36858
GHSA-x932-x5cv-rrwh