Security Alert Summary
The Product Configurator for WooCommerce plugin contains an access control issue that allows unauthenticated users to retrieve non-public product data through a public AJAX action. Attackers can obtain details such as title, price, weight, stock status, and configurator option pricing/SKUs for private and draft products by supplying a product ID, bypassing WordPress post-visibility controls.
CVE Details
- CVE ID: CVE-2026-11568
- Affected plugin / component: The Product Configurator for WooCommerce WordPress plugin
- Affected versions: before 1.7.3
- Published: July 1, 2026 at 7:16:22 AM
- Last modified: July 1, 2026 at 11:16:22 AM
- CVSS v3.1 base score: 7.5 — Severity: HIGH
- CVSS v3.1 vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - Authentication / privileges / user interaction: No privileges required (PR:N), no user interaction required (UI:N). The vector indicates unauthenticated network access is sufficient.
- Primary impact:
- Confidentiality: HIGH (exposure of non-public product data)
- Integrity: NONE
- Availability: NONE
- CWE / weakness: Not specified in the provided data
Technical Details
According to the advisory, the plugin does not perform authorization or post-status checks before returning WooCommerce product data via a public AJAX action. Because those checks are missing, an unauthenticated requester who knows or can guess a product ID can retrieve details for private and draft (non-public) products. The returned fields mentioned include title, price, weight, stock status, and configurator option pricing/SKUs. In short, WordPress post-visibility controls are bypassed for this data path.
The issue exists in the plugin’s handling of a publicly exposed AJAX endpoint that returns product information without verifying the requester is authorized to view the post or that the post is published. The absence of those checks allows disclosure of confidential product metadata for non-public posts.
How This Could Impact Your Website
On a multi-user WordPress site, a site owner or product manager may use draft or private products for pre-launch planning, internal review, or contractor previews. An external party could obtain pricing, SKUs, stock status, and other product details that were intended to remain internal. This could reveal planned pricing changes, unreleased product SKUs, or inventory information to unauthorized parties.
Practical consequences include increased risk of targeted commercial intelligence gathering and more informed social engineering attempts against staff or contractors who are associated with product launches. If you rely on draft/private products for sensitive planning, that confidentiality can be undermined by this vulnerability. If youâre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor-level accounts and other low-privilege users that have access to product editing or previews.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and access logs for unusual requests that reference product IDs or unknown AJAX calls.
If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.