CVE-2026-2892
Deferred Deferred - Pending Action
Purchase Verification Bypass in Otter Blocks WordPress Plugin

Publication date: 2026-04-30

Last updated on: 2026-04-30

Assigner: Wordfence

Description
The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2892
EUVD
EUVD-2026-26373
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
otter_blocks otter_blocks to 3.1.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Otter Blocks plugin for WordPress has a vulnerability called Purchase Verification Bypass in all versions up to and including 3.1.4. This happens because the plugin's 'get_customer_data' method relies on an unsigned 'o_stripe_data' cookie to verify Stripe product ownership for users who are not logged in.

The 'check_purchase' method trusts the data in this cookie without verifying it on the server side against the Stripe API for one-time payment purchases. Because of this, an attacker who is not authenticated can forge the 'o_stripe_data' cookie with a product ID, which is publicly visible in the checkout block's HTML source, and bypass the purchase verification.

Detection Guidance

This vulnerability can be detected by inspecting the presence and manipulation of the 'o_stripe_data' cookie in HTTP requests to the WordPress site using the Otter Blocks plugin. Since the vulnerability involves forging this cookie to bypass purchase verification, monitoring for unusual or unauthorized 'o_stripe_data' cookie values can indicate exploitation attempts.

You can use network monitoring tools or browser developer tools to check for the 'o_stripe_data' cookie in requests. For example, using command-line tools like curl or tcpdump to capture and inspect HTTP headers may help.

  • Use curl to check the cookie in a request: curl -I --cookie "o_stripe_data=some_value" https://yourwordpresssite.com
  • Use tcpdump or Wireshark to capture HTTP traffic and filter for 'o_stripe_data' cookie in HTTP headers.
  • Inspect the checkout page HTML source for exposure of product IDs that can be used to forge the cookie.
Mitigation Strategies

Immediate mitigation steps include updating the Otter Blocks plugin to a version later than 3.1.4 where this vulnerability is fixed.

If an update is not immediately possible, consider disabling the plugin or restricting access to purchase-gated content until a patch is applied.

Additionally, monitor and block suspicious requests that include forged 'o_stripe_data' cookies.

Impact Analysis

This vulnerability allows unauthenticated attackers to bypass purchase verification and gain access to content or features that should be restricted to paying customers. Since the plugin does not properly verify purchases server-side, attackers can forge cookie data to access Stripe purchase-gated content without actually buying the product.

The impact is primarily unauthorized access to paid content, which can lead to revenue loss for the site owner and potential exposure of premium content to unauthorized users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart