How is CVE-2026-42664 exploited?

Network reachability (required): The plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress/WooCommerce host. Authentication (not-required): No account or session token is needed; the access control bypass is reachable by any unauthenticated request. Victim interaction (not-required): The attacker interacts directly with the server-side endpoint and does not need any action from a site user or administrator. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

What is the impact of CVE-2026-42664?

An attacker can modify plugin settings or stored data, altering how product search results are generated or displayed to shoppers. An attacker can trigger a denial-of-service condition that crashes or makes the affected search service unavailable, disrupting storefront search functionality. No confidential data exposure is indicated by the CVSS vector (Confidentiality impact is None), so direct theft of customer records or credentials is not a consequence of this specific flaw.

Back to search

HIGHCVE-2026-42664Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-42664: WordPress AI Product Search for WooCommerce – Motive Commerce Search plugin <= 1.38.2 - Broken Access Control vulnerability

Q: What is CVE-2026-42664?

A broken access control vulnerability in the AI Product Search for WooCommerce plugin (Motive Commerce Search, versions 1.38.2 and earlier) allows unauthenticated remote attackers to reach restricted functionality without logging in. The flaw is reachable over the network and requires no credentials or victim interaction. Successful exploitation allows an attacker to tamper with plugin data or configuration and to crash or deny access to the affected service. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-42664 patched?

Because no fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A broken access control vulnerability in the AI Product Search for WooCommerce plugin (Motive Commerce Search, versions 1.38.2 and earlier) allows unauthenticated remote attackers to reach restricted functionality without logging in. The flaw is reachable over the network and requires no credentials or victim interaction. Successful exploitation allows an attacker to tamper with plugin data or configuration and to crash or deny access to the affected service. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images and pipeline builds, including custom WordPress images that bundle this plugin. Both registry scans and CI pipeline checks are covered.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 8.2 (HIGH) and weights it against each customer environment's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

Because no fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress/WooCommerce host.
AuthenticationNot required
No account or session token is needed; the access control bypass is reachable by any unauthenticated request.
Victim interactionNot required
The attacker interacts directly with the server-side endpoint and does not need any action from a site user or administrator.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

Blast Radius

An attacker can modify plugin settings or stored data, altering how product search results are generated or displayed to shoppers.
An attacker can trigger a denial-of-service condition that crashes or makes the affected search service unavailable, disrupting storefront search functionality.
No confidential data exposure is indicated by the CVSS vector (Confidentiality impact is None), so direct theft of customer records or credentials is not a consequence of this specific flaw.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42664 is active across all scanning environments and will flag any image containing Motive Commerce Search at version 1.38.2 or earlier. Because no upstream patch exists as of the CVE publication date of 2026-06-15, the recommended compensating controls include restricting network access to the WooCommerce admin and plugin endpoints via ingress network policy, applying web application firewall rules that block unexpected unauthenticated requests to plugin-specific routes, and isolating the WordPress container from sensitive internal services using egress filtering. HarborGuard monitors the Patchstack advisory feed on every ingest cycle; when the plugin maintainer publishes a fix, a patched-image rebuild becomes available immediately. For customers with auto-remediation enabled, the rebuild will be followed by a regression test run and a PR opened against affected workloads, with median time from CVE patch publication to merged PR around 90 minutes for high-severity issues.

See how HarborGuard automates this

Affected packages

Motive Commerce Search / AI Product Search for WooCommerce – Motive Commerce Search
≤ 1.38.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

patchstack.com

Metrics

Get notified