How is CVE-2026-48883 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS to exploit this issue. Authentication (not-required): No account or session token is needed; the attacker can trigger the vulnerability as a completely anonymous user. Victim interaction (not-required): No action from any logged-in user or administrator is required for the attack to succeed. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental factors to succeed.

What is the impact of CVE-2026-48883?

An unauthenticated attacker can perform unauthorized write operations against product bundle data, such as modifying bundle configurations, pricing rules, or associated product relationships stored in the WooCommerce database. Data integrity for product listings and bundle definitions is compromised, which can result in altered storefront behavior, incorrect pricing presented to shoppers, or manipulation of bundled product contents. No confidentiality impact is indicated by the CVSS vector, so stored customer or order data is not directly read by this exploit. No availability impact is indicated, so the service itself is not crashed or disrupted by exploitation.

Back to search

HIGHCVE-2026-48883Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-48883: WordPress WPC Product Bundles for WooCommerce plugin <= 8.5.3 - Broken Access Control vulnerability

Q: What is CVE-2026-48883?

This is a broken access control vulnerability in the WPC Product Bundles for WooCommerce WordPress plugin, affecting versions 8.5.3 and earlier. The vulnerability is reachable over the network with no authentication required and no user interaction needed, as reflected in the CVSS vector. Successful exploitation allows an unauthenticated attacker to make unauthorized modifications to data, with high integrity impact on the affected installation. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-48883 patched?

No fix version has been published upstream for this CVE, so HarborGuard re-checks the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment WPClever ships a remediated release. In the interim, compensating controls such as network-policy isolation and web application firewall rules blocking the affected endpoints can be applied within each environment.

Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce <= 8.5.3 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a broken access control vulnerability in the WPC Product Bundles for WooCommerce WordPress plugin, affecting versions 8.5.3 and earlier. The vulnerability is reachable over the network with no authentication required and no user interaction needed, as reflected in the CVSS vector. Successful exploitation allows an unauthenticated attacker to make unauthorized modifications to data, with high integrity impact on the affected installation. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-48883 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, including custom-built images that package this plugin. Any image containing WPC Product Bundles for WooCommerce at version 8.5.3 or earlier is flagged automatically across connected registries and CI/CD pipelines.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector and can weight findings further against each customer organization's compliance policy to reflect their actual risk posture. Triage alerts are routed to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

No fix version has been published upstream for this CVE, so HarborGuard re-checks the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment WPClever ships a remediated release. In the interim, compensating controls such as network-policy isolation and web application firewall rules blocking the affected endpoints can be applied within each environment.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS to exploit this issue.
AuthenticationNot required
No account or session token is needed; the attacker can trigger the vulnerability as a completely anonymous user.
Victim interactionNot required
No action from any logged-in user or administrator is required for the attack to succeed.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental factors to succeed.

Blast Radius

An unauthenticated attacker can perform unauthorized write operations against product bundle data, such as modifying bundle configurations, pricing rules, or associated product relationships stored in the WooCommerce database.
Data integrity for product listings and bundle definitions is compromised, which can result in altered storefront behavior, incorrect pricing presented to shoppers, or manipulation of bundled product contents.
No confidentiality impact is indicated by the CVSS vector, so stored customer or order data is not directly read by this exploit.
No availability impact is indicated, so the service itself is not crashed or disrupted by exploitation.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across connected environments, flagging any image that packages WPC Product Bundles for WooCommerce at version 8.5.3 or earlier. Because no upstream fix exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild and, for customers with auto-remediation enabled, an automated regression run and PR against affected workloads available the moment a fix version is published. While waiting for an upstream patch, compensating controls worth considering include network-policy rules that restrict public access to the specific REST or admin-ajax endpoints exercised by this vulnerability, web application firewall rules that block unauthenticated requests to those routes, and feature-flag or plugin-deactivation gating if bundle functionality is non-critical to the affected environment.

See how HarborGuard automates this

Affected packages

WPClever / WPC Product Bundles for WooCommerce
≤ 8.5.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

patchstack.com

Metrics

Get notified