Skip to main content

WPC Product Options for WooCommerce EUVDEUVD-2026-36870

| CVE-2026-49061 HIGH
Path Traversal (CWE-22)
2026-06-15 Patchstack GHSA-p254-h56f-52gw
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable path traversal yields arbitrary file read (C:H) with no write or denial-of-service primitive, so I:N and A:N; no user interaction required.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 21:40 vuln.today
CVE Published
Jun 15, 2026 - 20:19 cve.org
HIGH 7.5

DescriptionCVE.org

Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions.

AnalysisAI

Unauthenticated arbitrary file download in the WPC Product Options for WooCommerce WordPress plugin (versions ≤ 3.2.1) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials. The flaw is a classic path traversal (CWE-22) reachable over the network at low complexity, and while no public exploit identified at time of analysis, the disclosure by Patchstack and trivial attack profile make opportunistic scanning likely against WooCommerce storefronts running this plugin.

Technical ContextAI

WPC Product Options for WooCommerce is a WordPress plugin by WPClever (CPE: cpe:2.3:a:wpclever:wpc_product_options_for_woocommerce) that extends WooCommerce product pages with configurable options such as add-ons, variants, and file selections. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), meaning a user-controlled input - likely a filename or path parameter passed to a download/serve handler - is concatenated into a filesystem path without canonicalization or allowlist validation, letting sequences like '../' escape the intended directory. Because the endpoint does not enforce authentication, the traversal is reachable by any anonymous HTTP client that can contact the WordPress front-end.

RemediationAI

Upgrade the WPC Product Options for WooCommerce plugin to a version newer than 3.2.1 once the vendor publishes a fixed release; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpc-product-options/vulnerability/wordpress-wpc-product-options-for-woocommerce-plugin-3-2-1-arbitrary-file-download-vulnerability should be monitored for the exact patched version, as no fixed version is independently confirmed in the available data - Upstream fix status not independently confirmed. Until a patch is applied, deactivate and remove the plugin if business needs allow (loss of product option customization on storefront), or place a WAF/virtual-patch rule (e.g., Patchstack, Wordfence) in front of the site blocking requests containing '../', URL-encoded traversal sequences ('%2e%2e%2f'), or absolute paths in plugin request parameters - accepting that overly broad rules may break legitimate file-handling requests. As a defense-in-depth step, rotate WordPress secrets in wp-config.php (AUTH_KEY, SECURE_AUTH_KEY, etc.) and database credentials if you suspect the endpoint was exposed, since arbitrary file read commonly targets this file.

Share

EUVD-2026-36870 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy