Skip to main content

WPC Product Bundles EUVDEUVD-2026-36858

| CVE-2026-48883 HIGH
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-x932-x5cv-rrwh
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable WordPress plugin endpoint with missing authorization enables data tampering only, so PR:N, AC:L, and I:H with C:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 21:45 vuln.today
CVE Published
Jun 15, 2026 - 20:19 cve.org
HIGH 7.5

DescriptionCVE.org

Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce <= 8.5.3 versions.

AnalysisAI

Unauthorized data tampering in the WPC Product Bundles for WooCommerce WordPress plugin (versions 8.5.3 and earlier) allows remote attackers to manipulate plugin state without authentication due to missing authorization checks. Reported by Patchstack, the flaw carries a CVSS 7.5 reflecting high integrity impact with no confidentiality or availability impact, and no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability lives in WPC Product Bundles for WooCommerce, a WordPress plugin by WPClever (CPE cpe:2.3:a:wpclever:wpc_product_bundles_for_woocommerce) that enables WooCommerce store owners to sell grouped product bundles. The root cause is CWE-862 (Missing Authorization), a class of bug where a code path that mutates state is reachable without verifying that the caller is permitted to perform the action - in WordPress plugins this typically manifests as AJAX or admin-post handlers lacking capability checks (current_user_can) and/or nonce verification, or REST routes with a permissive permission_callback. Because WooCommerce front-ends are publicly reachable, any such gap is directly exposed to the internet.

RemediationAI

Upgrade WPC Product Bundles for WooCommerce to a release later than 8.5.3 once the vendor publishes a fixed version; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woo-product-bundle/vulnerability/wordpress-wpc-product-bundles-for-woocommerce-plugin-8-5-3-broken-access-control-vulnerability for the exact fixed version, as no patched release number was supplied in the input. Until then, virtual-patch the vulnerable endpoints via a WAF such as Patchstack, Wordfence, or ModSecurity to block unauthenticated requests to the plugin's AJAX/admin-post/REST handlers, or temporarily deactivate the plugin if bundle functionality is not business-critical (trade-off: bundle products will become unavailable on the storefront). Restricting access to /wp-admin/admin-ajax.php and the plugin's REST namespace from unauthenticated sources is an additional compensating control, but it can break legitimate front-end AJAX flows and should be tested before enforcement.

Share

EUVD-2026-36858 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy