CVE-2026-11364 - Vulnerability Details

Description

The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the __invoke() methods of the AttributeGroupController and AttributeController classes, which are bound to the 'dwps_modify_groups' and 'dwps_modify_attributes' AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create, edit, and delete arbitrary product specification groups and attributes (taxonomy terms in the 'spec-group' and attribute taxonomies), corrupting business data and impacting the site's frontend display.

Published: 2026-06-27

Score: 4.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Product Specifications for WooCommerce plugin does not verify the user’s capability or a nonce when handling the ‘dwps_modify_groups’ and ‘dwps_modify_attributes’ AJAX actions. This omission allows an authenticated user with Subscriber level or higher to create, edit, or delete product specification groups and attributes, which are taxonomy terms that control how product information appears on the front end. The resulting data corruption can alter product listings, misrepresent inventory, and undermine customer trust. The weakness is identified as CWE-862, a missing authorization check that permits data modification beyond the intended role boundaries.

Affected Systems

Any WordPress site running the Product Specifications for WooCommerce plugin up to and including version 0.8.9 is affected. The vulnerability exists within the AttributeGroupController and AttributeController classes of these versions, and it applies to sites that have the plugin activated without additional hardening.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score is not available, so the probability of exploitation is currently unknown. Because the flaw requires an authenticated Subscriber or higher, an attacker would need prior access to a user account; the vulnerability is not in CISA’s KEV catalog. Once an authenticated user exploits the flaw, they can alter or delete critical data but cannot execute code or compromise the site’s overall platform. However, the business impact can be substantial if customer-facing product information becomes inconsistent or incorrect.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

dornaweb

Product Specifications for Woocommerce

unaffected

Version	Status	Constraints
`0`	affected	≤ 0.8.9

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Product Specifications for WooCommerce to the latest released version (≥ 0.9.0) where the missing capability check and nonce verification have been added.
If an update is not yet possible, immediately ‘dwps_modify_groups’ and ‘dwps_modify_attributes’ actions or prevent Subscriber+ roles from accessing them, for example by adjusting role capabilities via a permissions plugin or custom code that enforces capability checks before enqueuing these actions.
For an immediate temporary fix, disable or delete the Product Specifications for WooCommerce plugin until a patched version is available, which eliminates the attack surface entirely.

Generated by OpenCVE AI on June 27, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/product-specifications/tags/0.8.7/src/EntityUpdater/AttributeController.php#L18
https://plugins.trac.wordpress.org/browser/product-specifications/tags/0.8.7/src/EntityUpdater/AttributeGroupController.php#L13
https://plugins.trac.wordpress.org/browser/product-specifications/tags/0.8.7/src/EntityUpdater/Module.php#L19
https://plugins.trac.wordpress.org/browser/product-specifications/tags/0.8.9/src/EntityUpdater/AttributeController.php#L18
https://plugins.trac.wordpress.org/browser/product-specifications/tags/0.8.9/src/EntityUpdater/AttributeGroupController.php#L13
https://plugins.trac.wordpress.org/browser/product-specifications/tags/0.8.9/src/EntityUpdater/Module.php#L19
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3580068%40product-specifications&new=3580068%40product-specifications&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/38318605-40f7-4676-b409-f98a6c27cbfe?source=cve

History

Sat, 27 Jun 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the __invoke() methods of the AttributeGroupController and AttributeController classes, which are bound to the 'dwps_modify_groups' and 'dwps_modify_attributes' AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create, edit, and delete arbitrary product specification groups and attributes (taxonomy terms in the 'spec-group' and attribute taxonomies), corrupting business data and impacting the site's frontend display.
Title		Product Specifications for Woocommerce <= 0.8.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attribute/Group Creation, Modification, and Deletion via 'dwps_modify_groups' and 'dwps_modify_attributes' AJAX Actions
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/product-specifications/tags/0.8.7/src/EntityUpdater/AttributeController.php#L18 https://plugins.trac.wordpress.org/browser/product-specifications/tags/0.8.7/src/EntityUpdater/AttributeGroupController.php#L13 https://plugins.trac.wordpress.org/browser/product-specifications/tags/0.8.7/src/EntityUpdater/Module.php#L19 https://plugins.trac.wordpress.org/browser/product-specifications/tags/0.8.9/src/EntityUpdater/AttributeController.php#L18 https://plugins.trac.wordpress.org/browser/product-specifications/tags/0.8.9/src/EntityUpdater/AttributeGroupController.php#L13 https://plugins.trac.wordpress.org/browser/product-specifications/tags/0.8.9/src/EntityUpdater/Module.php#L19 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3580068%40product-specifications&new=3580068%40product-specifications&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/38318605-40f7-4676-b409-f98a6c27cbfe?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-27T06:50:56.792Z

Updated: 2026-06-27T06:50:56.792Z

Reserved: 2026-06-05T11:45:53.684Z

Link: CVE-2026-11364

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-27T08:30:07Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object