Description
Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated broken authentication flaw in the Upsell Order Bump Offer for WooCommerce plugin that allows an adversary to manipulate the price of products during checkout without needing to log in; the flaw is identified by CWE‑1284 and compromises the integrity of e‑commerce transactions rather than providing code execution.

Affected Systems

Affected systems include the WP Swings Upsell Order Bump Offer for WooCommerce plugin versions 3.1.4 and earlier, installed on WordPress sites that use WooCommerce for online sales.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability while the EPSS score of less than 1% reflects a very low likelihood of exploitation in the wild; the vulnerability is not listed in CISA's KEV catalog. The likely attack vector is the web interface, based on the description it is inferred that attackers can exploit it by submitting requests that bypass authentication. This gives the risk a moderate level in environments that rely heavily on this plugin for sales.

Generated by OpenCVE AI on June 16, 2026 at 21:36 UTC.

Remediation

Vendor Solution

Update the WordPress Upsell Order Bump Offer for WooCommerce Plugin to the latest available version (at least 3.1.5).

OpenCVE Recommended Actions

  • Update the Upsell Order Bump Offer for WooCommerce plugin to version 3.1.5 or later, as the vendor has released a fix.
  • Deactivate the plugin on all sites until the update is applied to prevent the vulnerable functionality from being accessed.
  • Conduct a review of recent orders for any unauthorized price changes and correct transactions that may have been impacted.

Generated by OpenCVE AI on June 16, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Swings
Wp Swings upsell Order Bump Offer For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wp Swings
Wp Swings upsell Order Bump Offer For Woocommerce

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions.
Title WordPress Upsell Order Bump Offer for WooCommerce plugin <= 3.1.4 - Price Manipulation vulnerability
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Wordpress Wordpress
Wp Swings Upsell Order Bump Offer For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:36:21.754Z

Reserved: 2026-05-27T15:12:19.105Z

Link: CVE-2026-49110

cve-icon Vulnrichment

Updated: 2026-06-16T14:36:17.406Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:20.867

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-49110

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:45:04Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input