CVE-2026-11568
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
The Product Configurator for WooCommerce WordPress plugin before version 1.7.3 lacks authorization and post-status checks when returning WooCommerce product data via a public AJAX action. This allows unauthenticated users to retrieve data (title, price, weight, stock status, and configurator option pricing/SKUs) of private and draft products by supplying the product ID, bypassing WordPress post-visibility controls.
Risk Assessment
The organization is at risk of leaking sensitive product data such as prices, weights, and configurator details, which could be exploited by competitors or unauthorized individuals for market advantage or manipulation.
Recommendation
Immediately update the Product Configurator for WooCommerce plugin to version 1.7.3 or later, which includes a fix for the missing authorization and post-status checks.
Original NVD description (English source)
The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data (title, price, weight, stock status, and configurator option pricing/SKUs) of private and draft, non-public products by supplying the product ID. WordPress post-visibility controls are bypassed.

