How is CVE-2026-42668 exploited?

Network reachability (required): The plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress/WooCommerce service via HTTP(S) to exploit this vulnerability. Authentication (not-required): No account or credentials of any kind are required; the vulnerability is exploitable by any unauthenticated remote request. Victim interaction (not-required): No action from a logged-in user or site visitor is needed for exploitation to succeed. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or non-standard configuration.

What is the impact of CVE-2026-42668?

An attacker reads confidential data exposed through the plugin's authentication mechanism, which may include API keys, subscriber lists, or integration credentials stored by the Omnisend plugin. Access to marketing integration credentials can expose customer email addresses and behavioral data synced between WooCommerce and the Omnisend platform. There is no integrity or availability impact reported; the attacker gains read access only, with no write or disruption capability described in the CVSS scoring.

Back to search

HIGHCVE-2026-42668Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-42668: WordPress Email Marketing for WooCommerce by Omnisend plugin <= 1.18.0 - Broken Authentication vulnerability

Q: What is CVE-2026-42668?

This is a broken authentication vulnerability in the Email Marketing for WooCommerce by Omnisend WordPress plugin, affecting all versions up to and including 1.18.0. The vulnerability is reachable over the network with no authentication and no user interaction required, making it accessible to any unauthenticated remote attacker. Successful exploitation gives an attacker unauthorized access to confidential data exposed through the plugin's authentication flow. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

Q: Is CVE-2026-42668 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and upstream plugin repository on every ingest cycle. The moment a patched version is released, a rebuilt image becomes available, and customers with auto-remediation enabled will receive a regression-tested rebuild along with a PR opened against affected workloads.

Unauthenticated Broken Authentication in Email Marketing for WooCommerce by Omnisend <= 1.18.0 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a broken authentication vulnerability in the Email Marketing for WooCommerce by Omnisend WordPress plugin, affecting all versions up to and including 1.18.0. The vulnerability is reachable over the network with no authentication and no user interaction required, making it accessible to any unauthenticated remote attacker. Successful exploitation gives an attacker unauthorized access to confidential data exposed through the plugin's authentication flow. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built WordPress and WooCommerce images. Any image containing the Omnisend plugin at a vulnerable version is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) and applies each customer organization's compliance policy weighting to determine escalation priority. Triage findings are routed to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and upstream plugin repository on every ingest cycle. The moment a patched version is released, a rebuilt image becomes available, and customers with auto-remediation enabled will receive a regression-tested rebuild along with a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress/WooCommerce service via HTTP(S) to exploit this vulnerability.
AuthenticationNot required
No account or credentials of any kind are required; the vulnerability is exploitable by any unauthenticated remote request.
Victim interactionNot required
No action from a logged-in user or site visitor is needed for exploitation to succeed.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or non-standard configuration.

Blast Radius

An attacker reads confidential data exposed through the plugin's authentication mechanism, which may include API keys, subscriber lists, or integration credentials stored by the Omnisend plugin.
Access to marketing integration credentials can expose customer email addresses and behavioral data synced between WooCommerce and the Omnisend platform.
There is no integrity or availability impact reported; the attacker gains read access only, with no write or disruption capability described in the CVSS scoring.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active and matches any scanned image carrying the Omnisend plugin at version 1.18.0 or earlier. Because no upstream fix exists at this time, HarborGuard monitors the Patchstack advisory and the WordPress plugin repository on every ingest cycle and will make a patched-image rebuild available the moment a fix is published. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically without manual intervention. In the interim, compensating controls worth considering include network-policy rules that restrict external access to the WordPress admin and WooCommerce REST API surfaces, egress filtering to limit what the plugin can reach from inside the container, and disabling or removing the Omnisend plugin from images where email marketing integration is not operationally required.

See how HarborGuard automates this

Affected packages

Omnisend / Email Marketing for WooCommerce by Omnisend
≤ 1.18.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

patchstack.com

Metrics

Get notified