Description
Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress WPC Product Options for WooCommerce plugin versions 3.2.1 and earlier allow an unauthenticated attacker to request and download arbitrary files from the server file system; a single HTTP request can expose configuration files, credentials, or private content. The vulnerability is due to insecure file path handling that does not validate or sanitize user input, classified as CWE‑22. If exploited, sensitive information could be retrieved without user interaction, compromising privacy and potentially facilitating further attacks.

Affected Systems

The flaw is present in the WPC Product Options for WooCommerce plugin offered by WPClever when installed at version 3.2.1 or earlier. Versions 3.2.2 and newer contain the fix and are considered secure.

Risk and Exploitability

The CVSS base score of 7.5 indicates substantial risk, yet the EPSS score of less than 1% suggests current exploitation likelihood is low. Because the flaw is unauthenticated and remote, an attacker can trigger it simply by visiting a crafted URL on the target site, but it has not been reported in the CISA KEV catalog, and no known active exploits have been disclosed. Therefore, while the potential impact is serious, the probability of exploitation remains modest.

Generated by OpenCVE AI on June 18, 2026 at 00:32 UTC.

Remediation

Vendor Solution

Update the WordPress WPC Product Options for WooCommerce Plugin to the latest available version (at least 3.2.2).


OpenCVE Recommended Actions

  • Update the WPC Product Options for WooCommerce plugin to version 3.2.2 or later to apply the vendor‑supplied fix.
  • If you cannot upgrade immediately, block external access to the plugin’s file download endpoint using web‑server rules or a WAF to prevent arbitrary file requests.
  • Verify that the plugin’s file permissions are set to the strictest mode required for normal operation, and consider disabling the plugin if it is not needed for business functions.

Generated by OpenCVE AI on June 18, 2026 at 00:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Product Options For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Product Options For Woocommerce

Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions.
Title WordPress WPC Product Options for WooCommerce plugin <= 3.2.1 - Arbitrary File Download vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Wordpress Wordpress
Wpclever Wpc Product Options For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T21:56:20.954Z

Reserved: 2026-05-27T10:26:54.456Z

Link: CVE-2026-49061

cve-icon Vulnrichment

Updated: 2026-06-15T21:56:17.434Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:19.073

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:45:35Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')