CVE-2026-49110
Description
Unauthenticated broken authentication in Upsell Order Bump Offer for WooCommerce ≤3.1.4 allows attackers to gain admin access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated broken authentication in Upsell Order Bump Offer for WooCommerce ≤3.1.4 allows attackers to gain admin access.
Vulnerability
The vulnerability is an unauthenticated broken authentication issue in the Upsell Order Bump Offer for WooCommerce plugin for WordPress, affecting versions up to and including 3.1.4 [1]. Attackers can bypass authentication checks to perform actions that should be restricted to higher-privileged users, such as administrative functions.
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending specially crafted HTTP requests to the affected plugin's endpoints, bypassing authentication checks [1]. No prior access, user interaction, or special network position is required.
Impact
Successful exploitation allows the attacker to execute actions normally restricted to higher-privileged users, potentially leading to full administrative control over the WordPress website [1]. This could result in data theft, site defacement, or further compromise.
Mitigation
The vulnerability is fixed in version 3.1.5 of the plugin [1]. Users are strongly advised to update immediately. If unable to update, consider enabling auto-updates for vulnerable plugins via Patchstack or similar service [1]. No known workarounds are available.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=3.1.4+ 1 more
- (no CPE)range: <=3.1.4
- (no CPE)range: <=3.1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (June 1, 2026 to June 7, 2026)Wordfence Blog · Jun 11, 2026