How is CVE-2026-48873 exploited?

Network reachability (required): The attacker must reach the WordPress site over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS with no network-level restriction assumed. Authentication (not-required): No account or session credential of any kind is needed; the flaw is fully unauthenticated and exploitable by any anonymous remote party. Victim interaction (not-required): The attacker does not need any action from a site visitor or administrator to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond reaching the service.

What is the impact of CVE-2026-48873?

An unauthenticated attacker can perform unauthorized write operations through the broken access control endpoint, bypassing permission checks that should gate those actions. Order, payment, or plugin configuration data within WooCommerce can be modified or manipulated without any legitimate user authorizing the change. Integrity of the store's transaction or fulfillment records is at high risk, as the CVSS integrity impact is scored H with no confidentiality or availability impact indicated.

Back to search

HIGHCVE-2026-48873Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-48873: WordPress Montonio for WooCommerce plugin <= 10.1.2 - Broken Access Control vulnerability

Q: What is CVE-2026-48873?

An unauthenticated broken access control vulnerability affects the Montonio for WooCommerce WordPress plugin at version 10.1.2 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, meaning any remote party can trigger the affected functionality without logging in. Successful exploitation enables an attacker to tamper with data at a high severity level, scoring 7.5 on the CVSSv3.1 scale. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-48873 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating controls such as network-policy isolation of affected workloads are surfaced as advisory guidance within the platform.

Unauthenticated Broken Access Control in Montonio for WooCommerce <= 10.1.2 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated broken access control vulnerability affects the Montonio for WooCommerce WordPress plugin at version 10.1.2 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, meaning any remote party can trigger the affected functionality without logging in. Successful exploitation enables an attacker to tamper with data at a high severity level, scoring 7.5 on the CVSSv3.1 scale. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-48873 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds including Patchstack, covering both standard and custom-built images that bundle the Montonio for WooCommerce plugin. Any image in a customer registry or CI/CD pipeline running plugin version 10.1.2 or earlier is eligible for flagging.

Available

Triage

Triage is available with a CVSSv3.1 score of 7.5 (HIGH) applied automatically, and per-environment compliance policy weighting can escalate or suppress alert priority based on each customer's configured thresholds. Findings are routed to the appropriate team inbox within each customer organization according to their notification and ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating controls such as network-policy isolation of affected workloads are surfaced as advisory guidance within the platform.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress site over the network; the vulnerable plugin endpoint is exposed via standard HTTP/HTTPS with no network-level restriction assumed.
AuthenticationNot required
No account or session credential of any kind is needed; the flaw is fully unauthenticated and exploitable by any anonymous remote party.
Victim interactionNot required
The attacker does not need any action from a site visitor or administrator to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond reaching the service.

Blast Radius

An unauthenticated attacker can perform unauthorized write operations through the broken access control endpoint, bypassing permission checks that should gate those actions.
Order, payment, or plugin configuration data within WooCommerce can be modified or manipulated without any legitimate user authorizing the change.
Integrity of the store's transaction or fulfillment records is at high risk, as the CVSS integrity impact is scored H with no confidentiality or availability impact indicated.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-48873 at this time, the platform monitors the Patchstack advisory on every ingest cycle and will automatically initiate a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a fix version is published. Until then, HarborGuard surfaces compensating-control guidance including network-policy isolation of the WordPress workload, egress filtering to limit unexpected outbound calls from the plugin, and WAF rule suggestions targeting unauthenticated requests to affected plugin routes. Customers with compliance policies that require a remediation SLA on HIGH-severity findings will see this CVE escalated in their triage queue until upstream resolution is confirmed.

See how HarborGuard automates this

Affected packages

Montonio / Montonio for WooCommerce
≤ 10.1.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

patchstack.com

Metrics

Get notified