Description
Unauthenticated Broken Access Control in WooCommerce Anti-Fraud <= 7.2.6 versions.
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated broken access control flaw in the WooCommerce Anti‑Fraud plugin versions up to 7.2.6. It allows an attacker to perform actions normally restricted to authenticated users. The impact is the potential for an adversary to modify plugin settings, access sensitive data, or otherwise bypass normal access restrictions, compromising the integrity and confidentiality of the e‑commerce platform.

Affected Systems

WordPress installations running the WooCommerce Anti−Fraud plugin version 7.2.6 or earlier. The plugin is authored by OPMC and is integrated into WooCommerce e‑commerce sites.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, so the current exploitation probability is unclear. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits. The likely attack vector is through the web interface of the WordPress site, where unauthenticated users can send requests to the plugin. Exploitation would not require authenticated credentials, making it surface‑wide for affected sites.

Generated by OpenCVE AI on June 18, 2026 at 14:01 UTC.

Remediation

Vendor Solution

Update the WordPress WooCommerce Anti-Fraud Plugin to the latest available version (at least 7.2.7).


OpenCVE Recommended Actions

  • Update the WooCommerce Anti‑Fraud Plugin to version 7.2.7 or later
  • Remove the plugin if it is not required for site functionality
  • Restrict access to the plugin’s administrative routes using web‑server rules or .htaccess restrictions

Generated by OpenCVE AI on June 18, 2026 at 14:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Opmc
Opmc woocommerce Anti-fraud
Wordpress
Wordpress wordpress
Vendors & Products Opmc
Opmc woocommerce Anti-fraud
Wordpress
Wordpress wordpress

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in WooCommerce Anti-Fraud <= 7.2.6 versions.
Title WordPress WooCommerce Anti-Fraud plugin <= 7.2.6 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}


Subscriptions

Opmc Woocommerce Anti-fraud
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:30:19.105Z

Reserved: 2026-05-27T10:27:01.186Z

Link: CVE-2026-49072

cve-icon Vulnrichment

Updated: 2026-06-17T15:30:12.997Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:01Z

Weaknesses