Description
Unauthenticated Sensitive Data Exposure in WCBoost &#8211; Products Compare <= 1.1.0 versions.
Published: 2026-06-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to read sensitive data stored or displayed by the WordPress WCBoost – Products Compare plugin. Because the plugin does not enforce proper access control, any visitor can retrieve protected information. This weakness matches CWE‑497 and can expose customer details, order history, or other private information, compromising confidentiality but not necessarily integrity or availability.

Affected Systems

Plugins distributed under WCBoost – Products Compare version 1.1.0 or earlier on WordPress sites are affected. Site administrators must audit their WordPress installations for this plugin and verify the installed version. No other WordPress plugins or core components are listed as vulnerable.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. Because the exploitation path requires no authentication, the risk of accidental discovery is higher, though the EPSS score is not available and the vulnerability is not in the CISA KEV catalog. Attackers can trigger the flaw by accessing a publicly exposed endpoint, inferred from the unauthenticated description. The absence of a KEV listing suggests no widespread exploitation yet, but the moderate CVSS and open access warrant prompt remediation.

Generated by OpenCVE AI on June 26, 2026 at 16:56 UTC.

Remediation

Vendor Solution

Update the WordPress WCBoost &#8211; Products Compare Plugin to the latest available version (at least 1.1.1).

OpenCVE Recommended Actions

  • Update the WordPress WCBoost – Products Compare Plugin to at least version 1.1.1.
  • If the plugin is no longer needed, deactivate or uninstall it to remove the attack surface.
  • Restrict access to the plugin’s comparison features by enabling administrator‑only usage or by applying role‑based access controls in WordPress.

Generated by OpenCVE AI on June 26, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Sensitive Data Exposure in WCBoost &#8211; Products Compare <= 1.1.0 versions.
Title WordPress WCBoost &#8211; Products Compare plugin <= 1.1.0 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:32:27.692Z

Reserved: 2026-06-25T08:03:10.451Z

Link: CVE-2026-57633

cve-icon Vulnrichment

Updated: 2026-06-26T15:32:25.111Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses
  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere