CVE-2026-2892
Purchase Verification Bypass in Otter Blocks WordPress Plugin
Publication date: 2026-04-30
Last updated on: 2026-04-30
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| otter_blocks | otter_blocks | to 3.1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Otter Blocks plugin for WordPress has a vulnerability called Purchase Verification Bypass in all versions up to and including 3.1.4. This happens because the plugin's 'get_customer_data' method relies on an unsigned 'o_stripe_data' cookie to verify Stripe product ownership for users who are not logged in.
The 'check_purchase' method trusts the data in this cookie without verifying it on the server side against the Stripe API for one-time payment purchases. Because of this, an attacker who is not authenticated can forge the 'o_stripe_data' cookie with a product ID, which is publicly visible in the checkout block's HTML source, and bypass the purchase verification.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to bypass purchase verification and gain access to content or features that should be restricted to paying customers. Since the plugin does not properly verify purchases server-side, attackers can forge cookie data to access Stripe purchase-gated content without actually buying the product.
The impact is primarily unauthorized access to paid content, which can lead to revenue loss for the site owner and potential exposure of premium content to unauthorized users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the presence and manipulation of the 'o_stripe_data' cookie in HTTP requests to the WordPress site using the Otter Blocks plugin. Since the vulnerability involves forging this cookie to bypass purchase verification, monitoring for unusual or unauthorized 'o_stripe_data' cookie values can indicate exploitation attempts.
You can use network monitoring tools or browser developer tools to check for the 'o_stripe_data' cookie in requests. For example, using command-line tools like curl or tcpdump to capture and inspect HTTP headers may help.
- Use curl to check the cookie in a request: curl -I --cookie "o_stripe_data=some_value" https://yourwordpresssite.com
- Use tcpdump or Wireshark to capture HTTP traffic and filter for 'o_stripe_data' cookie in HTTP headers.
- Inspect the checkout page HTML source for exposure of product IDs that can be used to forge the cookie.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Otter Blocks plugin to a version later than 3.1.4 where this vulnerability is fixed.
If an update is not immediately possible, consider disabling the plugin or restricting access to purchase-gated content until a patch is applied.
Additionally, monitor and block suspicious requests that include forged 'o_stripe_data' cookies.