Skip to main content

Product Configurator For Woocommerce

2 CVEs product

Monthly

CVE-2026-11568 HIGH POC PATCH This Week

Unauthenticated information disclosure in the Product Configurator for WooCommerce WordPress plugin (versions before 1.7.3) exposes sensitive product data through a public AJAX action that skips authorization and post-status checks. By supplying only a product ID, remote unauthenticated users can read titles, prices, weights, stock status, and configurator option pricing/SKUs of private and draft products, bypassing WordPress post-visibility controls. Publicly available exploit code exists (reported by WPScan), though there is no indication of active exploitation.

WordPress Authentication Bypass Product Configurator For Woocommerce
NVD WPScan VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2022-1953 CRITICAL POC Act Now

The Product Configurator for WooCommerce WordPress plugin before 1.2.32 suffers from an arbitrary file deletion vulnerability via an AJAX action, accessible to unauthenticated users, which accepts. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal Product Configurator For Woocommerce
NVD WPScan
CVSS 3.1
9.1
EPSS
1.7%
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Unauthenticated information disclosure in the Product Configurator for WooCommerce WordPress plugin (versions before 1.7.3) exposes sensitive product data through a public AJAX action that skips authorization and post-status checks. By supplying only a product ID, remote unauthenticated users can read titles, prices, weights, stock status, and configurator option pricing/SKUs of private and draft products, bypassing WordPress post-visibility controls. Publicly available exploit code exists (reported by WPScan), though there is no indication of active exploitation.

WordPress Authentication Bypass Product Configurator For Woocommerce
NVD WPScan VulDB
EPSS 2% CVSS 9.1
CRITICAL POC Act Now

The Product Configurator for WooCommerce WordPress plugin before 1.2.32 suffers from an arbitrary file deletion vulnerability via an AJAX action, accessible to unauthenticated users, which accepts. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Path Traversal Product Configurator For Woocommerce
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy