CVE-2026-32457

The vulnerability is a missing authorization check in the Advanced Product Fields (Product Addons) for WooCommerce plugin, affecting versions up to and including 1.6.18. The plugin fails to properly enforce access control security levels, allowing unauthenticated users to execute functions that should require higher privileges [1].

An attacker can exploit this by sending crafted HTTP requests to the WordPress site without any authentication. The attack surface is broad, as the plugin is widely used, and no special network position is required. The vulnerability is classified as a broken access control issue, which can be leveraged in automated mass-exploit campaigns targeting thousands of sites [1].

The impact is considered low severity (CVSS 5.3) and unlikely to be exploited in targeted attacks, but the potential for widespread abuse exists. An attacker could manipulate product fields, potentially leading to data corruption or privilege escalation within the WooCommerce environment [1].

Mitigation is straightforward: update the plugin to version 1.6.19 or later, which includes the necessary authorization checks. Patchstack users can enable auto-updates for vulnerable plugins. If immediate updating is not possible, consulting a hosting provider or web developer is recommended [1].