CVE-2026-48873

Vulnerability

An unauthenticated broken access control vulnerability exists in the Montonio for WooCommerce plugin for WordPress, affecting versions 10.1.2 and earlier [1]. The issue is a missing authorization, authentication, or nonce token check in a function, enabling an unprivileged user to execute certain higher-privileged actions [1].

Exploitation

An attacker does not require any authentication or prior access to the target site [1]. The vulnerability is expected to be exploited in mass-exploit campaigns, with attackers targeting thousands of websites regardless of traffic size or popularity [1]. The exact sequence of steps to trigger the missing access control check is not detailed in the available references.

Impact

Successful exploitation allows an unauthenticated attacker to perform actions that should require higher privileges, leading to a broken access control scenario [1]. The specific outcome—such as information disclosure, data modification, or privilege escalation—is not further detailed, but the vulnerability is considered highly dangerous and likely to be used in widespread attacks [1].

Mitigation

The vulnerability is fixed in version 10.1.3 of the Montonio for WooCommerce plugin [1]. Users are advised to update immediately to 10.1.3 or later [1]. As a workaround, Patchstack has issued a mitigation rule to block attacks until the update is applied [1]. If unable to update, users should consult their hosting provider or web developer for assistance [1].