Description
Unauthenticated Sensitive Data Exposure in Bopo – WooCommerce Product Bundle Builder <= 1.1.6 versions.
Published: 2026-06-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated sensitive data exposure flaw exists in the WordPress Bopo – WooCommerce Product Bundle Builder plugin versions up to 1.1.6. Because the plugin does not properly restrict access to certain internal data, an attacker who can reach the plugin’s endpoints can read confidential information stored or managed by the plugin. This flaw is classified as CWE‑497, which reflects an exposure of sensitive information due to insufficient privileges or authentication controls.

Affected Systems

The vulnerability affects the Bopo – WooCommerce Product Bundle Builder plugin developed by VillaTheme. All WordPress installations running a version of this plugin that is 1.1.6 or earlier are impacted. The vendor recommendation is to upgrade to at least version 1.2.0, the earliest release that contains the fix.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity level. Because the issue requires no authentication, the attack surface is open to any user on the site, though the specific data that can be accessed depends on the plugin’s configuration. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalogue, suggesting that mass exploitation is not widely observed yet. Nonetheless, the potential confidentiality impact warrants prompt action.

Generated by OpenCVE AI on June 26, 2026 at 17:35 UTC.

Remediation

Vendor Solution

Update the WordPress Bopo – WooCommerce Product Bundle Builder Plugin to the latest available version (at least 1.2.0).

OpenCVE Recommended Actions

  • Update the Bopo – WooCommerce Product Bundle Builder plugin to version 1.2.0 or later
  • If an upgrade cannot be performed immediately, deactivate the plugin entirely to eliminate the exposure path
  • Review any custom settings or API endpoints added by the plugin for possible sensitive data leaks and restrict access to those that remain in use

Generated by OpenCVE AI on June 26, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Sensitive Data Exposure in Bopo – WooCommerce Product Bundle Builder <= 1.1.6 versions.
Title WordPress Bopo – WooCommerce Product Bundle Builder plugin <= 1.1.6 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:31:21.319Z

Reserved: 2026-06-25T08:03:29.942Z

Link: CVE-2026-57664

cve-icon Vulnrichment

Updated: 2026-06-26T15:31:18.852Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:45:03Z

Weaknesses
  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere