CVE-2026-39662

Vulnerability

Overview

The Product Price by Formula for WooCommerce plugin for WordPress, versions up to and including 2.5.6, contains a missing authorization vulnerability. This flaw stems from incorrectly configured access control security levels, allowing unauthenticated users to perform actions that should require higher privileges [1].

Exploitation

Attackers can exploit this broken access control by sending crafted requests to the plugin's functions that lack proper permission checks. No authentication is required, making this a low-barrier attack vector. The vulnerability is particularly dangerous because it can be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation enables unprivileged users to execute higher-privileged actions, potentially leading to unauthorized modification of product pricing formulas or other sensitive plugin settings. This could result in financial loss, data manipulation, or further compromise of the WordPress installation [1].

Mitigation

The vendor has not released a patched version at the time of publication. Immediate action is recommended: update the plugin if a fix becomes available, or contact your hosting provider or web developer for assistance. The vulnerability is tracked with a CVSS v3 score of 5.3 (Medium severity) [1].