CVE-2026-49061

Vulnerability

The WPC Product Options for WooCommerce plugin for WordPress, in versions 3.2.1 and earlier, contains an unauthenticated arbitrary file download vulnerability. The flaw resides in the plugin's file retrieval functionality, which fails to properly validate user-supplied file paths, allowing an attacker to request any file readable by the web server without requiring authentication [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable plugin endpoint, specifying the path to a target file. No authentication, user interaction, or special privileges are required. The attack can be carried out remotely over the network, making it trivial to scale across multiple sites [1].

Impact

Successful exploitation allows the attacker to download arbitrary files from the WordPress installation, including configuration files such as wp-config.php (which contains database credentials), backup files, and other sensitive data. This can lead to full site compromise, data theft, and lateral movement within the hosting environment [1].

Mitigation

The vulnerability has been fixed in version 3.2.2 of the plugin. All users should update to version 3.2.2 or later immediately. For those unable to update, Patchstack offers a mitigation rule that blocks exploitation attempts. This vulnerability is expected to be widely targeted in mass-exploit campaigns [1].