Skip to main content

WCBoost Products Compare EUVDEUVD-2026-39749

| CVE-2026-57633 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-06-26 audit@patchstack.com GHSA-9cp8-fxmh-4hc3
5.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible, zero-auth exposure (PR:N, AV:N); limited partial confidentiality loss only; no integrity or availability impact confirmed by description.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:13 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in WCBoost &#8211; Products Compare <= 1.1.0 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the WCBoost - Products Compare WordPress plugin (versions <= 1.1.0) allows any remote attacker to access sensitive information without credentials. The CVSS vector confirms network-accessible exploitation requiring no authentication, no user interaction, and low complexity, yielding a partial confidentiality breach. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with plugin installed
Exploit
Send unauthenticated HTTP request to exposed endpoint
Execution
Receive sensitive data in response
Impact
Extract and leverage exposed information

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against any WordPress installation running WCBoost - Products Compare version 1.1.0 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (Medium) reflects limited but real-world impact: AV:N confirms the vulnerability is exploitable over the network; AC:L and PR:N/UI:N confirm no barriers to exploitation beyond knowing the site runs this plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker enumerates WordPress sites running the WCBoost - Products Compare plugin (e.g., via public scanner or Google dorking for plugin-specific assets), then sends a crafted HTTP request to the vulnerable endpoint - likely a WordPress AJAX handler or REST API route - and receives sensitive data in the response. No public exploit code has been identified at time of analysis, but the low complexity and zero authentication requirement make manual exploitation straightforward for any attacker familiar with WordPress plugin vulnerability patterns.
Remediation The primary remediation is to update the WCBoost - Products Compare plugin to a version above 1.1.0 via the WordPress admin dashboard or WP-CLI. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39749 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy