CVE-2026-42668

Vulnerability

An unauthenticated broken authentication vulnerability exists in the Email Marketing for WooCommerce by Omnisend plugin for WordPress, affecting versions up to and including 1.18.0. The flaw allows an attacker to bypass authentication mechanisms, potentially performing actions reserved for higher-privileged users, including administrative operations. No authentication is required to exploit this vulnerability.

Exploitation

An attacker can exploit this vulnerability without any prior authentication or user interaction. No special network position is required; the attacker can send crafted requests to the vulnerable endpoint. The vulnerability is highly likely to be mass-exploited in automated campaigns targeting thousands of sites. The exact sequence of steps is not publicly detailed, but it involves manipulating authentication-related parameters to impersonate higher-privileged users.

Impact

Successful exploitation allows an attacker to gain unauthorized access equivalent to that of a higher-privileged user, potentially resulting in full administrative control over the WordPress site. This can lead to complete compromise of the website's confidentiality, integrity, and availability, including data theft, site defacement, or further malware distribution.

Mitigation

The vulnerability is fixed in version 1.18.1, released to address the issue. Users are advised to update immediately. Patchstack has also issued a mitigation rule that blocks attacks until the update is applied. For those unable to update, consulting a hosting provider or web developer is recommended. The vulnerability is listed as expected to be exploited, so prompt action is critical [1].