CVE-2026-32406

Vulnerability

Overview

CVE-2026-32406 is a missing authorization vulnerability in the WPC Product Bundles for WooCommerce plugin (woo-product-bundle) for WordPress, affecting versions up to and including 8.4.5. The plugin fails to properly verify access control permissions, allowing exploitation of incorrectly configured security levels. This broken access control issue stems from a lack of authorization, authentication, or nonce token checks in certain functions [1].

Exploitation

An attacker can exploit this vulnerability without requiring high-level privileges. The missing authorization check means that an unprivileged user—potentially an unauthenticated visitor or a low-privilege subscriber—can execute actions that should be restricted to higher-privileged roles such as administrators. The attack surface is any WordPress site running the vulnerable plugin version, and no special network position is needed [1].

Impact

Successful exploitation allows an attacker to perform unauthorized actions within the plugin's context. While the specific actions are not detailed in the advisory, the vulnerability could enable modification of product bundle configurations, access to sensitive data, or other operations normally reserved for privileged users. The CVSS v3 base score of 4.3 (Medium) reflects a moderate impact, though the advisory notes that exploitation is considered unlikely [1].

Mitigation

The vendor has released version 8.4.6 to address the issue. Users are strongly advised to update to this version or later. For those unable to update immediately, consulting with a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins to streamline remediation [1].