CVE-2026-22334
Deferred Deferred - Pending Action
Arbitrary File Download in WooCommerce Book Price <= 1.3

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Subscriber Arbitrary File Download in Woocommerce Book Price <= 1.3 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-22334
EUVD
EUVD-2026-37656
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack woocommerce_book_price_plugin to 1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-22334 vulnerability affects the WordPress WooCommerce Book Price Plugin, specifically versions 1.3 and below.

It is classified as an Arbitrary File Download vulnerability, which means that malicious actors can exploit it to download any file from the affected website.

This includes sensitive files such as those containing login credentials or backups.

Impact Analysis

This vulnerability poses a significant risk because attackers can download sensitive files from your website without authorization.

Such unauthorized access can lead to exposure of confidential information like login credentials and backups.

The vulnerability has a high severity score of 7.5, indicating a substantial risk of exploitation.

Attackers could target thousands of websites indiscriminately, regardless of their size or popularity.

Until an official patch is released, mitigation measures such as applying Patchstack's blocking rules or updating the plugin are advised.

Mitigation Strategies

The CVE-2026-22334 vulnerability affects WooCommerce Book Price Plugin versions 1.3 and below, allowing arbitrary file download.

Immediate mitigation steps include updating the plugin to a newer version if available.

Since an official patch is not yet available, Patchstack has issued a mitigation rule to block attacks until a fix is released.

It is also advised to seek assistance from your hosting provider or a web developer to implement temporary protections.

Compliance Impact

The vulnerability allows attackers to arbitrarily download files from the affected website, including sensitive files such as those containing login credentials or backups.

This exposure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, exploitation of this vulnerability may result in breaches of confidentiality obligations under these standards, potentially leading to legal and financial consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22334. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart