Description
Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce <= 8.5.3 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated broken access control flaw exists in the WordPress WPC Product Bundles for WooCommerce plugin through version 8.5.3. The weakness, classified as CWE‑862, allows an attacker to access or modify data that should be restricted to authenticated and authorized users, potentially exposing sensitive product bundle configurations and enabling unauthorized changes to bundle behavior.

Affected Systems

The vulnerability affects WordPress sites that have the WPC Product Bundles for WooCommerce plugin by WPClever installed and are running version 8.5.3 or earlier. Any such site that has not applied the latest patch is potentially exposed.

Risk and Exploitability

The CVSS score of 7.5 denotes a high severity, while the EPSS score of less than 1% indicates that exploitation attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of widely available exploit code. Attackers can trigger the flaw by sending unauthenticated HTTP requests to the plugin’s administrative endpoints, often by browsing or guessing URLs that expose bundle configuration data. Because no authentication is required, the only prerequisite for exploitation is the presence of the vulnerable plugin version on the site.

Generated by OpenCVE AI on June 18, 2026 at 00:35 UTC.

Remediation

Vendor Solution

Update the WordPress WPC Product Bundles for WooCommerce Plugin to the latest available version (at least 8.5.4).


OpenCVE Recommended Actions

  • Upgrade the WPC Product Bundles for WooCommerce plugin to version 8.5.4 or later.
  • Configure role‑based access controls to limit administrative page access to trusted administrators.
  • Apply a web application firewall rule to block unauthenticated requests to the plugin’s administrative endpoints.

Generated by OpenCVE AI on June 18, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Product Bundles For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Product Bundles For Woocommerce

Mon, 15 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce <= 8.5.3 versions.
Title WordPress WPC Product Bundles for WooCommerce plugin <= 8.5.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}


Subscriptions

Wordpress Wordpress
Wpclever Wpc Product Bundles For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:27:14.642Z

Reserved: 2026-05-25T22:37:16.413Z

Link: CVE-2026-48883

cve-icon Vulnrichment

Updated: 2026-06-15T22:27:11.121Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:17.613

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48883

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T00:45:02Z

Weaknesses