Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Unauthenticated network request to a public checkout endpoint (AV:N/AC:L/PR:N/UI:N) tampers with order integrity only; no data disclosure or availability loss, so C:N/I:H/A:N.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions.
AnalysisAI
Broken authentication in the Upsell Order Bump Offer for WooCommerce plugin (versions 3.1.4 and earlier) allows remote unauthenticated attackers to manipulate offer/price integrity on affected WordPress storefronts. Patchstack classifies the issue as a price manipulation vulnerability with high integrity impact, and no public exploit identified at time of analysis. The defect is reachable over the network without authentication or user interaction, making any WooCommerce store running the plugin a direct target.
Technical ContextAI
The affected component is the wp_swings 'Upsell Order Bump Offer for WooCommerce' WordPress plugin (CPE cpe:2.3:a:wp_swings:upsell_order_bump_offer_for_woocommerce), which injects post-cart upsell offers into the WooCommerce checkout flow. The CWE-1284 classification (Improper Validation of Specified Quantity in Input) combined with Patchstack's 'price manipulation' label indicates that the plugin trusts client-supplied values - such as bump offer price, quantity, or product identifier - submitted through its AJAX/REST endpoints rather than recomputing them server-side from the canonical WooCommerce product catalog. Because WooCommerce checkout endpoints are reachable by anonymous shoppers by design, the missing server-side validation translates directly into a broken authorization-by-input-validation flaw on a public surface.
RemediationAI
Upstream fix availability is not explicitly stated in the input data - the Patchstack record only fixes the vulnerable ceiling at <= 3.1.4, so administrators should upgrade to the next published wp_swings release above 3.1.4 once confirmed against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/upsell-order-bump-offer-for-woocommerce/vulnerability/wordpress-upsell-order-bump-offer-for-woocommerce-plugin-3-1-4-price-manipulation-vulnerability) and the plugin's WordPress.org changelog. If no patched build is yet available, the safest compensating control is to deactivate and remove the plugin (side effect: loss of order bump upsell revenue); a lower-impact alternative is to enable Patchstack's or a WAF's virtual patch for this CVE and add a server-side WooCommerce hook (e.g. woocommerce_before_calculate_totals) that re-resolves bump offer line items against the canonical product price, rejecting any cart whose bump line price diverges, with the trade-off that custom-priced campaigns may need to be reconfigured. Finally, audit recent orders for anomalously low totals on bump-offer SKUs to detect prior abuse.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36885
GHSA-cp3w-qhjm-4333