CVE-2026-48883

Vulnerability

The WPC Product Bundles for WooCommerce plugin for WordPress versions 8.5.3 and earlier contains an unauthenticated broken access control vulnerability [1]. The issue stems from missing authorization checks or nonce token validation in one or more functions, allowing unauthenticated users to access or execute privileged operations [1].

Exploitation

An attacker can exploit this vulnerability without any authentication by sending crafted HTTP requests to the affected plugin endpoints [1]. The vulnerability is commonly targeted in mass-exploit campaigns, where attackers automate scans against thousands of WordPress sites, regardless of their traffic or popularity [1]. No user interaction is required, and the attack vector is network-based.

Impact

Successful exploitation enables an attacker to perform actions normally restricted to higher-privileged roles, potentially leading to unauthorized disclosure of information or modification of plugin settings and data [1]. While the vendor notes the severity as low in the context of WordPress, the CVSS v3 base score is 7.5 (High), reflecting the lack of authentication and the potential for widespread abuse [1].

Mitigation

The vulnerability is fixed in version 8.5.4 [1]. Users should update the plugin to version 8.5.4 or later immediately. If unable to update, contact a hosting provider or developer for assistance. Patchstack users can enable auto-updates for vulnerable plugins [1].