CVE-2026-49059
Deferred Deferred - Pending Action
Open Redirect in Facebook for WooCommerce

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Patchstack

Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Facebook Facebook for WooCommerce allows Phishing. This issue affects Facebook for WooCommerce: from n/a through 3.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-49059
EUVD
EUVD-2026-32529
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
facebook facebook_for_woocommerce to 3.7.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Open Redirect issue in Facebook for WooCommerce. It allows attackers to redirect users to untrusted or malicious websites by exploiting URL redirection mechanisms within the affected software.

Impact Analysis

The vulnerability can be used for phishing attacks by redirecting users to malicious sites without their knowledge. This can lead to users being tricked into providing sensitive information or downloading malware.

Compliance Impact

The vulnerability allows attackers to redirect users from a legitimate site to a malicious one, potentially leading to phishing incidents.

Such phishing risks could indirectly impact compliance with standards like GDPR or HIPAA, which require protection of user data and prevention of unauthorized access or disclosure.

However, the provided information does not explicitly state any direct effects on compliance with these regulations.

Detection Guidance

This vulnerability involves an Open Redirection issue in the Facebook for WooCommerce plugin, which can be detected by monitoring for unusual URL redirection behavior originating from the affected plugin.

To detect potential exploitation attempts, you can analyze web server logs for requests containing suspicious redirect parameters or URLs that lead to untrusted external sites.

There are no specific commands provided in the available resources, but general approaches include using tools like grep or log analyzers to search for redirect patterns in access logs.

  • Example command to search Apache logs for suspicious redirect parameters: grep -i 'redirect=' /var/log/apache2/access.log
  • Example command to search Nginx logs for external URLs in query strings: grep -Eo 'http[s]?://[^ ]+' /var/log/nginx/access.log | grep -v 'yourdomain.com'
Mitigation Strategies

Immediate mitigation steps include updating the Facebook for WooCommerce plugin to a version higher than 3.7.0 once available.

Since no official patch is currently available, users are advised to seek assistance from their hosting provider or developer to implement temporary workarounds or restrictions on URL redirection.

Additionally, educating users about the risks of clicking suspicious links and monitoring for phishing attempts can help reduce the impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49059. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart