Description
The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.
Published: 2026-04-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in the Otter Blocks plugin enables an unauthenticated attacker to bypass purchase verification for gated WordPress content. The flaw stems from the get_customer_data method relying on an unsigned 'o_stripe_data' cookie to assess Stripe product ownership, and the subsequent check_purchase method trusting this cookie without server‑side validation against the Stripe API for one‑time payment mode purchases. By forging the cookie with a target product ID, which is exposed in the checkout block’s HTML, an attacker can trigger the condition to expose premium content without having actually purchased it.

Affected Systems

The issue affects the ThemeIsle Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress, versions up to and including 3.1.4. Users running these plugin versions on any WordPress installation are vulnerable until the issue is remediated.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk for the affected sites. The EPSS score is not available, and this vulnerability has not been listed in the CISA KEV catalog. Attackers can exploit this flaw remotely by crafting a forged 'o_stripe_data' cookie and injecting it into the user’s browser; because the cookie value is not verified server‑side, the request is accepted, granting unauthorized access to purchase‑restricted content. Given that the attacker only needs to manipulate a browser cookie and the product ID is publicly visible, the likelihood of exploitation is considered high in the context of a publicly accessible WordPress site.

Generated by OpenCVE AI on May 1, 2026 at 05:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Otter Blocks plugin to version 3.1.5 or later where the cookie verification is corrected.
  • If an update cannot be applied immediately, disable purchase‑gated content conditions for unauthenticated users by configuring the block settings or removing the related visibility rule.
  • As an interim measure, enforce server‑side validation of the 'o_stripe_data' cookie or delete the cookie from unauthenticated sessions to prevent the bypass from succeeding.

Generated by OpenCVE AI on May 1, 2026 at 05:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Themeisle
Themeisle otter Blocks – Gutenberg Blocks, Page Builder For Gutenberg Editor & Fse
Wordpress
Wordpress wordpress
Vendors & Products Themeisle
Themeisle otter Blocks – Gutenberg Blocks, Page Builder For Gutenberg Editor & Fse
Wordpress
Wordpress wordpress

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.
Title Otter Blocks <= 3.1.4 - Improper Authorization to Unauthenticated Purchase Verification Bypass via Forged Cookie
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Themeisle Otter Blocks – Gutenberg Blocks, Page Builder For Gutenberg Editor & Fse
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-01T16:38:40.570Z

Reserved: 2026-02-20T18:15:09.231Z

Link: CVE-2026-2892

cve-icon Vulnrichment

Updated: 2026-05-01T16:38:35.368Z

cve-icon NVD

Status : Deferred

Published: 2026-04-30T14:16:29.760

Modified: 2026-04-30T14:52:54.847

Link: CVE-2026-2892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:21:18Z

Weaknesses