Description
Missing Authorization vulnerability in WPClever WPC Product Bundles for WooCommerce woo-product-bundle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPC Product Bundles for WooCommerce: from n/a through <= 8.4.5.
Published: 2026-03-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authorization flaw in the WPC Product Bundles for WooCommerce plugin, allowing attackers to bypass intended access controls and target privileged endpoints. This flaw can enable an unauthenticated or low‑privilege user to view, modify, or delete bundled product configurations, potentially compromising the integrity of the site’s product data. The weakness is described as CWE-862: Missing Authorization.

Affected Systems

The affected product is WPC Product Bundles for WooCommerce from vendor WPClever. All releases—from the initial build through version 8.4.5 inclusive—are impacted. No fixes are noted for later versions in the provided data.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. An EPSS score of less than 1% reflects a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote web request performed by an unauthenticated or role‑limited user who can trigger plugin endpoints that lack proper capability checks.

Generated by OpenCVE AI on March 19, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available patch or update the WPC Product Bundles for WooCommerce plugin to the newest supported version released by the vendor.
  • Verify that capability checks for bundle‑management features are correctly enforced for all user roles within the plugin.
  • If a timely update is not available, consider disabling the plugin until a proper fix is released to prevent unauthorized access.
  • Monitor web server and WordPress logs for unexpected or unauthenticated access attempts to bundle‑management endpoints.

Generated by OpenCVE AI on March 19, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Product Bundles For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Product Bundles For Woocommerce

Fri, 13 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPClever WPC Product Bundles for WooCommerce woo-product-bundle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPC Product Bundles for WooCommerce: from n/a through <= 8.4.5.
Title WordPress WPC Product Bundles for WooCommerce plugin <= 8.4.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
Wpclever Wpc Product Bundles For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:11.135Z

Reserved: 2026-03-12T11:11:14.586Z

Link: CVE-2026-32406

cve-icon Vulnrichment

Updated: 2026-03-13T18:53:33.228Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:57.010

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32406

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:56Z

Weaknesses