Impact
An unauthenticated broken access control flaw exists in the WordPress WPC Product Bundles for WooCommerce plugin through version 8.5.3. The weakness, classified as CWE‑862, allows an attacker to access or modify data that should be restricted to authenticated and authorized users, potentially exposing sensitive product bundle configurations and enabling unauthorized changes to bundle behavior.
Affected Systems
The vulnerability affects WordPress sites that have the WPC Product Bundles for WooCommerce plugin by WPClever installed and are running version 8.5.3 or earlier. Any such site that has not applied the latest patch is potentially exposed.
Risk and Exploitability
The CVSS score of 7.5 denotes a high severity, while the EPSS score of less than 1% indicates that exploitation attempts are currently rare. The vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of widely available exploit code. Attackers can trigger the flaw by sending unauthenticated HTTP requests to the plugin’s administrative endpoints, often by browsing or guessing URLs that expose bundle configuration data. Because no authentication is required, the only prerequisite for exploitation is the presence of the vulnerable plugin version on the site.
OpenCVE Enrichment