Description
Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects StoreCustomizer: from n/a through <= 2.6.3.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch
AI Analysis

Impact

The StoreCustomizer plugin for WordPress implements StoreCustomizer woocustomizer accesses lacking proper authorization checks, enabling administrators or unauthenticated users to invoke privileged actions such as modifying store settings or viewing sensitive data without the required permissions. This flaw is categorized as a missing authorization vulnerability (CWE‑862).

Affected Systems

The vulnerability affects the Kaira StoreCustomizer plugin for WordPress in all releases up to and including version 2.6.3. The advisory does not confirm whether newer releases contain a fix; therefore, the status of versions beyond 2.6.3 remains uncertain and should be evaluated individually.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation currently, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves crafting HTTP requests that bypass the missing authorization check, allowing an attacker to perform administrative actions over the web interface. If such requests are executed, the attacker could change store configuration, access confidential information, or disrupt service availability.

Generated by OpenCVE AI on March 26, 2026 at 18:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade StoreCustomizer to the latest release after version 2.6.3 and verify the patch resolves the authorization issue.
  • Take a full backup of the website and database before applying the update to enable rollback if necessary.
  • After updating, confirm that privileged actions in the plugin require the appropriate user role and that the access control bypass no longer functions.
  • If an immediate update cannot be performed, deactivate the StoreCustomizer plugin until a patched version is released to prevent potential exploitation.

Generated by OpenCVE AI on March 26, 2026 at 18:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Kaira
Kaira storecustomizer
Wordpress
Wordpress wordpress
Vendors & Products Kaira
Kaira storecustomizer
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects StoreCustomizer: from n/a through <= 2.6.3.
Title WordPress StoreCustomizer plugin <= 2.6.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Kaira Storecustomizer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:31.267Z

Reserved: 2026-02-17T13:23:18.876Z

Link: CVE-2026-27046

cve-icon Vulnrichment

Updated: 2026-03-26T16:31:46.585Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:53.853

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-27046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:32Z

Weaknesses