CVE-2026-22334: WordPress Woocommerce Book Price plugin <= 1.3 - Arbitrary File Download vulnerability
Subscriber Arbitrary File Download in Woocommerce Book Price <= 1.3 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An arbitrary file download vulnerability affects the WooCommerce Book Price WordPress plugin at version 1.3 and earlier. The flaw is reachable over the network without any authentication, allowing an attacker to request and retrieve arbitrary files from the server's filesystem. Successful exploitation exposes sensitive server-side files, including configuration files that may contain database credentials or API keys. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle this plugin.
AvailableHarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector and weights it further against each customer environment's compliance policy, then routes the finding to the appropriate team inbox within the affected organization.
AvailableNo fix version has been published upstream, so HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. Customers with auto-remediation enabled will automatically receive the rebuild, a regression-test run, and a PR opened against affected workloads once the upstream patch lands.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress service via HTTP or HTTPS.
- AuthenticationNot required
No account or session token is needed; the vulnerable endpoint accepts unauthenticated requests.
- Victim interactionNot required
No user action is needed; the attacker sends a crafted request directly to the server without involving any human target.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions or special environmental factors to succeed.
Blast Radius
- Reads arbitrary files from the server filesystem, including wp-config.php, which contains database credentials and authentication keys.
- Exposes any file the web server process has read permission to, including environment files, private keys, or internal configuration files.
- Allows reconstruction of database connection strings, enabling follow-on attacks against the site database if it is network-accessible.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix currently exists for CVE-2026-22334, HarborGuard monitors the Patchstack advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, this means a rebuilt image, a regression-test run, and a PR opened against affected workloads will be available with no manual intervention. In the interim, compensating controls worth considering include network-policy rules that restrict public access to the plugin's download endpoint, web application firewall rules blocking path-traversal patterns in query parameters, and egress filtering on the container to limit what files can be served. Any environment scanning images that bundle WooCommerce Book Price at version 1.3 or earlier will have this finding surfaced in the HarborGuard dashboard and routed according to the organization's configured compliance policy.
- WPos / Woocommerce Book Price≤ 1.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N