Skip to main content

WooCommerce Anti-Fraud EUVDEUVD-2026-37615

| CVE-2026-49072 MEDIUM
Missing Authorization (CWE-862)
2026-06-17 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable, unauthenticated endpoint with no user interaction; scope unchanged; limited integrity and availability impact only, no confidentiality exposure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 17, 2026 - 12:51 vuln.today
CVE Published
Jun 17, 2026 - 09:51 cve.org
MEDIUM 6.5

DescriptionCVE.org

Unauthenticated Broken Access Control in WooCommerce Anti-Fraud <= 7.2.6 versions.

AnalysisAI

Unauthenticated broken access control in the WooCommerce Anti-Fraud WordPress plugin by OPMC (versions ≤ 7.2.6) allows remote unauthenticated attackers to perform unauthorized actions against the anti-fraud layer of WooCommerce stores. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no credentials or user interaction are required, and CWE-862 (Missing Authorization) identifies the root cause as absent capability or permission checks on one or more plugin endpoints. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send unauthenticated HTTP request to plugin endpoint
Delivery
Bypass missing authorization check (CWE-862)
Exploit
Invoke privileged anti-fraud functionality
Execution
Manipulate fraud detection rules or order status
Impact
Fraudulent orders pass WooCommerce screening

Vulnerability AssessmentAI

Exploitation No special conditions are required for exploitation beyond the target WordPress site having the WooCommerce Anti-Fraud plugin (≤ 7.2.6) installed and active - the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote unauthenticated exploitation against default plugin configurations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score is supported by a straightforward vector: network-reachable (AV:N), low complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), making this trivially exploitable at scale from any internet-connected system. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request directly to an unprotected WooCommerce Anti-Fraud plugin endpoint - such as an AJAX handler or REST route - that lacks authorization checks. By invoking this endpoint, the attacker manipulates the plugin's fraud scoring rules or flags legitimate orders as non-fraudulent, causing the WooCommerce store to process orders that would otherwise be blocked, or disrupting the availability of anti-fraud screening for active transactions. …
Remediation The primary recommended action is to update the WooCommerce Anti-Fraud plugin to a version beyond 7.2.6 once a patched release is published by OPMC; administrators should monitor the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woocommerce-anti-fraud/vulnerability/wordpress-woocommerce-anti-fraud-plugin-7-2-6-broken-access-control-vulnerability for patch availability. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37615 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy