CVE-2026-40796

Vulnerability

The WPPizza plugin for WordPress versions 3.19.9 and earlier suffers from a sensitive data exposure vulnerability. The flaw is triggered via an unspecified subscriber-level capability, allowing authenticated users with subscriber privileges to access sensitive information that should be restricted to higher-privileged roles. The vulnerability affects all installations running WPPizza up to and including version 3.19.9 [1].

Exploitation

An attacker needs only a valid subscriber-level account on a WordPress site using a vulnerable version of WPPizza. No additional special privileges or user interaction is required. The attacker can exploit the issue through normal authenticated requests, directly accessing exposed data endpoints or functionality that fails to enforce proper authorization checks [1].

Impact

Successful exploitation allows the attacker to view sensitive information such as order details and customer personal data that are normally hidden from subscribers. This exposure can lead to privacy breaches and may enable further attacks on the system or its users. The CVSS v3 score is 6.5 (Medium), reflecting moderate impact on confidentiality [1].

Mitigation

The vulnerability is fixed in WPPizza version 3.20, released on or before the disclosure date. Users must update the plugin to version 3.20 or later immediately. For those who cannot update immediately, Patchstack provides a mitigation rule to block attacks until the update is applied. The vulnerability is expected to be exploited in mass campaigns, so prompt action is strongly recommended [1].