CVE-2026-49059
Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Facebook Facebook for WooCommerce allows Phishing.
This issue affects Facebook for WooCommerce: from n/a through 3.7.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Facebook for WooCommerce plugin up to 3.7.0 contains an open redirect vulnerability enabling phishing via unvalidated redirect URLs.
Vulnerability
CVE-2026-49059 is an Open Redirect vulnerability in the Facebook for WooCommerce plugin for WordPress, affecting versions from n/a through 3.7.0. The plugin fails to validate redirect URLs, allowing an attacker to craft a link that appears to go to a trusted site but instead redirects to an untrusted external domain. This vulnerability is present in the redirection handling code of the plugin and can be triggered without authentication, but requires a privileged user to perform an action such as clicking a malicious link [1].
Exploitation
To exploit this vulnerability, an attacker must trick a privileged user (e.g., an administrator) into clicking a specially crafted link that leverages the plugin's open redirect. The link points to a legitimate WordPress site running the vulnerable plugin but includes a parameter that redirects to an attacker-controlled phishing site. No authentication or network position other than being able to deliver the link (e.g., via email or social engineering) is required. The attacker does not need write access to the target site; user interaction is the key requirement [1].
Impact
Successful exploitation allows the attacker to perform phishing attacks. The victim, believing they are visiting the legitimate WooCommerce or Facebook integration page, is redirected to a malicious site that may steal credentials, session tokens, or other sensitive information. The impact is primarily to the confidentiality and integrity of the user's data, as the attacker can impersonate the trusted site. The vulnerability has a CVSS v3 score of 4.7 (Medium), reflecting the requirement for user interaction and the limited scope of damage compared to RCE or full compromise [1].
Mitigation
The vendor has released a fix for this vulnerability; users should update the Facebook for WooCommerce plugin to version 3.7.1 or later, which was made available after the disclosure date of 2026-05-27. If immediate update is not possible, administrators should carefully review any redirect URLs and consider using a web application firewall (WAF) to block suspicious redirection patterns. The plugin should be kept up to date to protect against known exploit activity, as open redirects are commonly used in mass phishing campaigns [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=3.7.0+ 1 more
- (no CPE)range: <=3.7.0
- (no CPE)range: <=3.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.