CVE-2026-39668

The Book Previewer for WooCommerce plugin for WordPress, versions up to and including 1.0.6, contains a missing authorization vulnerability. The plugin fails to properly verify access control security levels, allowing exploitation of incorrectly configured access controls [1].

This broken access control issue means that the plugin does not perform adequate authorization, authentication, or nonce token checks. As a result, an unprivileged user can execute actions that should require higher privileges [1]. The vulnerability can be exploited without authentication, making any prior authenticated requests, making it accessible to unauthenticated attackers.

Attackers can leverage this flaw to perform unauthorized actions on affected WordPress sites. The vulnerability is noted as being used in mass-exploit campaigns, targeting thousands of websites regardless of their size or popularity [1]. The CVSS v3 base score of 5.3 reflects a medium severity, with the attack vector being network-based and requiring no user interaction.

As an immediate mitigation step, users should update the plugin to a patched version if available. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance [1]. No workaround details are provided in the advisory.