CVE-2026-42664

Vulnerability

The vulnerability is an unauthenticated broken access control issue in the "AI Product Search for WooCommerce – Motive Commerce Search" plugin for WordPress. Versions up to and including 1.38.2 are affected. The plugin fails to properly implement authorization, authentication, or nonce checks on certain functions, making them accessible without any authentication [1].

Exploitation

An attacker can exploit this vulnerability without needing any authentication or user interaction. By sending crafted HTTP requests to the vulnerable endpoints, the attacker can trigger functions that should only be available to higher-privileged users. The missing access controls allow unauthenticated attackers to perform actions that are normally restricted [1].

Impact

Successful exploitation allows an attacker to perform privileged actions, leading to potential unauthorized data access, modification, or other malicious operations. The CVSS v3 score is 8.2 (High), and the vulnerability is considered likely to be exploited in mass campaigns targeting thousands of WordPress sites [1].

Mitigation

The issue is resolved in version 1.38.3. Users should update the plugin to 1.38.3 or later immediately. As a workaround, Patchstack has issued a mitigation rule to block attacks until the patch is applied. If unable to update, consult with a hosting provider or web developer for assistance [1].