CVE Catalog

CVE-2026-11568

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

20th percentile — higher than 20% of all known CVEs

Summary

The Product Configurator for WooCommerce WordPress plugin before version 1.7.3 lacks authorization and post-status checks when returning WooCommerce product data via a public AJAX action. This allows unauthenticated users to retrieve data (title, price, weight, stock status, and configurator option pricing/SKUs) of private and draft products by supplying the product ID, bypassing WordPress post-visibility controls.

Risk Assessment

The organization is at risk of leaking sensitive product data such as prices, weights, and configurator details, which could be exploited by competitors or unauthorized individuals for market advantage or manipulation.

Recommendation

Immediately update the Product Configurator for WooCommerce plugin to version 1.7.3 or later, which includes a fix for the missing authorization and post-status checks.

Original NVD description (English source)

The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data (title, price, weight, stock status, and configurator option pricing/SKUs) of private and draft, non-public products by supplying the product ID. WordPress post-visibility controls are bypassed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS