CVE-2026-11568
Received Received - Intake

Unauthenticated Product Data Exposure in WooCommerce Configurator

Vulnerability report for CVE-2026-11568, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: WPScan

Description

The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data (title, price, weight, stock status, and configurator option pricing/SKUs) of private and draft, non-public products by supplying the product ID. WordPress post-visibility controls are bypassed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wpengine product_configurator_for_woocommerce to 1.7.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Product Configurator for WooCommerce WordPress plugin versions before 1.7.3 contains a vulnerability that allows unauthenticated users to access private or draft product data.

This happens because the plugin does not perform any authorization or post-status checks before returning WooCommerce product information through a public AJAX action called pc_get_data.

As a result, anyone can retrieve sensitive product details such as title, price, weight, stock status, and configurator option pricing or SKUs by simply providing the product ID, bypassing WordPress post-visibility controls.

Impact Analysis

This vulnerability can lead to sensitive data disclosure by exposing non-public product information to unauthenticated users.

Attackers or unauthorized users can access private or draft product details such as pricing, stock status, and other confidential configurator data without any special configuration or authentication.

This exposure could potentially harm business confidentiality, competitive advantage, and customer trust.

Compliance Impact

This vulnerability allows unauthenticated users to access private or draft product data, which constitutes a sensitive data disclosure.

Such unauthorized disclosure of non-public information could lead to non-compliance with data protection regulations like GDPR or HIPAA, which require protection of sensitive data and control over access.

By bypassing authorization and post-visibility controls, the vulnerability undermines confidentiality and access control requirements mandated by these standards.

Detection Guidance

This vulnerability can be detected by attempting to access the public AJAX action pc_get_data with different WooCommerce product IDs without authentication. If private or draft product data such as title, price, weight, stock status, or configurator pricing details are returned, the system is vulnerable.

A possible command to test this is to use curl or any HTTP client to send a request to the AJAX endpoint with a product ID parameter, for example:

  • curl -X POST https://your-wordpress-site.com/wp-admin/admin-ajax.php -d action=pc_get_data -d product_id=123

If the response contains product details for private or draft products without authentication, the vulnerability exists.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Product Configurator for WooCommerce plugin to version 1.7.3 or later, where the issue has been fixed.

Until the update can be applied, restrict access to the AJAX endpoint or implement custom authorization checks to prevent unauthenticated users from accessing the pc_get_data action.

Additionally, monitor your WooCommerce product data for any unauthorized access or disclosure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11568. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart