Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-reachable plugin endpoint, no auth required per missing authorization flaw, scope unchanged, no confidentiality loss, limited integrity and availability impact only.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in EDGARROJAS Extra Product Options Builder for WooCommerce additional-product-fields-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Extra Product Options Builder for WooCommerce: from n/a through <= 1.2.167.
AnalysisAI
Missing authorization in the Extra Product Options Builder for WooCommerce plugin (versions through 1.2.167) permits remote unauthenticated attackers to perform restricted actions without valid credentials, impacting both data integrity and service availability on affected WordPress storefronts. The flaw stems from CWE-862 - the plugin exposes endpoints or AJAX actions that fail to verify whether the caller holds the necessary capability or role before executing sensitive operations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special exploitation conditions are required beyond the plugin being installed and active on a WordPress/WooCommerce site: the CVSS vector AV:N/AC:L/PR:N/UI:N confirms remote, unauthenticated, low-complexity exploitation against any default deployment of the plugin. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.5 (Medium) reflects a network-accessible, zero-complexity, unauthenticated vector (AV:N/AC:L/PR:N/UI:N), with limited but real integrity and availability impacts (I:L/A:L) and no confidentiality loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress storefront running the vulnerable plugin version by inspecting page source or probing known WooCommerce plugin fingerprints. The attacker sends a crafted HTTP POST request to the site's AJAX endpoint targeting a plugin action that lacks authorization checks, successfully manipulating product option configurations or disrupting their availability - for example, altering pricing fields or removing required option sets from product listings - without ever authenticating to the WordPress site. |
| Remediation | The primary fix is to update the Extra Product Options Builder for WooCommerce plugin to any version released after 1.2.167; however, no exact patched version number is confirmed in the available input data - administrators should consult the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/additional-product-fields-for-woocommerce/vulnerability/wordpress-extra-product-options-builder-for-woocommerce-plugin-1-2-167-broken-access-control-vulnerability for the confirmed fixed release before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43463