CVE-2026-49779
Deferred Deferred - Pending Action

Path Traversal in Tax Exempt for WooCommerce

Vulnerability report for CVE-2026-49779, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Patchstack

Description

Customer Path Traversal in Tax Exempt for WooCommerce <= 1.9.3 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
patchstack woocommerce_tax_exempt_plugin to 1.9.3 (inc)
patchstack tax_exempt_for_woocommerce to 1.9.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-35 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress Tax Exempt for WooCommerce Plugin versions 1.9.3 and below contain a Path Traversal vulnerability. This flaw allows attackers to manipulate file paths to access directories and files outside the intended scope, potentially exposing sensitive information on affected websites.

This vulnerability is classified under the OWASP Top 10 category of Broken Access Control, meaning it involves improper restrictions on what authenticated users or attackers can access.

Impact Analysis

Exploitation of this vulnerability can allow attackers to traverse directories on the server, gaining unauthorized access to sensitive files. This could lead to exposure of confidential data, potentially compromising the security and privacy of your website and its users.

The vulnerability has a CVSS score of 6.5, indicating a significant risk, and is expected to be targeted in mass-exploit campaigns, increasing the likelihood of attacks.

Currently, there is no official patch from the plugin developers, so immediate mitigation steps such as applying temporary rules or updating the plugin when possible are advised.

Detection Guidance

The vulnerability involves a Path Traversal issue in the WooCommerce Tax Exempt plugin versions 1.9.3 and below, which could be detected by monitoring for suspicious requests attempting to access directories outside the intended scope.

While no specific detection commands are provided in the available resources, typical detection methods include analyzing web server logs for unusual URL patterns containing directory traversal sequences such as "../" or encoded variants.

Commands to help detect such activity might include using grep on access logs, for example:

  • grep -iE "\.\./|%2e%2e" /var/log/apache2/access.log
  • grep -i "tax_exempt" /var/log/apache2/access.log | grep -iE "\.\./|%2e%2e"

Additionally, network intrusion detection systems (NIDS) or web application firewalls (WAF) with rules targeting path traversal attempts can be used to detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include applying any available updates to the WooCommerce Tax Exempt plugin; however, as of now, no official patch is available from the plugin developers.

Patchstack has issued a mitigation rule to temporarily block attacks exploiting this vulnerability, so implementing such mitigation rules or using a web application firewall to block path traversal attempts is advised.

Other recommended actions include seeking assistance from your hosting provider or a web developer to apply temporary protections and monitoring your systems closely for suspicious activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49779. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart