Skip to main content

Upsell Order Bump Offer for WooCommerce EUVDEUVD-2026-36885

| CVE-2026-49110 HIGH
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-06-15 Patchstack GHSA-cp3w-qhjm-4333
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network request to a public checkout endpoint (AV:N/AC:L/PR:N/UI:N) tampers with order integrity only; no data disclosure or availability loss, so C:N/I:H/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 21:33 vuln.today
CVE Published
Jun 15, 2026 - 20:19 cve.org
HIGH 7.5

DescriptionCVE.org

Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions.

AnalysisAI

Broken authentication in the Upsell Order Bump Offer for WooCommerce plugin (versions 3.1.4 and earlier) allows remote unauthenticated attackers to manipulate offer/price integrity on affected WordPress storefronts. Patchstack classifies the issue as a price manipulation vulnerability with high integrity impact, and no public exploit identified at time of analysis. The defect is reachable over the network without authentication or user interaction, making any WooCommerce store running the plugin a direct target.

Technical ContextAI

The affected component is the wp_swings 'Upsell Order Bump Offer for WooCommerce' WordPress plugin (CPE cpe:2.3:a:wp_swings:upsell_order_bump_offer_for_woocommerce), which injects post-cart upsell offers into the WooCommerce checkout flow. The CWE-1284 classification (Improper Validation of Specified Quantity in Input) combined with Patchstack's 'price manipulation' label indicates that the plugin trusts client-supplied values - such as bump offer price, quantity, or product identifier - submitted through its AJAX/REST endpoints rather than recomputing them server-side from the canonical WooCommerce product catalog. Because WooCommerce checkout endpoints are reachable by anonymous shoppers by design, the missing server-side validation translates directly into a broken authorization-by-input-validation flaw on a public surface.

RemediationAI

Upstream fix availability is not explicitly stated in the input data - the Patchstack record only fixes the vulnerable ceiling at <= 3.1.4, so administrators should upgrade to the next published wp_swings release above 3.1.4 once confirmed against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/upsell-order-bump-offer-for-woocommerce/vulnerability/wordpress-upsell-order-bump-offer-for-woocommerce-plugin-3-1-4-price-manipulation-vulnerability) and the plugin's WordPress.org changelog. If no patched build is yet available, the safest compensating control is to deactivate and remove the plugin (side effect: loss of order bump upsell revenue); a lower-impact alternative is to enable Patchstack's or a WAF's virtual patch for this CVE and add a server-side WooCommerce hook (e.g. woocommerce_before_calculate_totals) that re-resolves bump offer line items against the canonical product price, rejecting any cart whose bump line price diverges, with the trade-off that custom-priced campaigns may need to be reconfigured. Finally, audit recent orders for anomalously low totals on bump-offer SKUs to detect prior abuse.

Share

EUVD-2026-36885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy