How is CVE-2026-49061 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress/WooCommerce service via HTTP or HTTPS. Authentication (not-required): No account or session token of any privilege level is needed; the file download endpoint is accessible to unauthenticated requests. Victim interaction (not-required): The attacker sends a direct request to the vulnerable endpoint with no need for any user on the target site to take any action. Attack complexity (info): Exploitation is straightforward and condition-free; no race condition, memory layout knowledge, or special environmental state is required.

What is the impact of CVE-2026-49061?

Reads arbitrary files from the server filesystem, including wp-config.php, which contains database credentials and secret keys. Exposes private application data such as uploaded customer files, internal documents, or backup archives stored within the web root or accessible paths. Allows credential harvesting that can be used to pivot into the database or other connected services. Discloses environment and configuration details that assist further attack planning.

Back to search

HIGHCVE-2026-49061Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49061: WordPress WPC Product Options for WooCommerce plugin <= 3.2.1 - Arbitrary File Download vulnerability

Q: What is CVE-2026-49061?

An unauthenticated arbitrary file download vulnerability affects the WPC Product Options for WooCommerce WordPress plugin in versions 3.2.1 and earlier. The flaw is reachable over the network with no login or account required, making it trivially accessible to any external attacker. Successful exploitation allows an attacker to download arbitrary files from the server, exposing potentially sensitive data such as configuration files, credentials, and private application data. HarborGuard is tracking the Patchstack advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-49061 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and NVD record on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, HarborGuard surfaces the affected images and supports manual compensating-control workflows such as network-policy isolation and egress filtering.

Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated arbitrary file download vulnerability affects the WPC Product Options for WooCommerce WordPress plugin in versions 3.2.1 and earlier. The flaw is reachable over the network with no login or account required, making it trivially accessible to any external attacker. Successful exploitation allows an attacker to download arbitrary files from the server, exposing potentially sensitive data such as configuration files, credentials, and private application data. HarborGuard is tracking the Patchstack advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-49061 is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built WordPress and WooCommerce images that bundle this plugin. Any image carrying WPC Product Options for WooCommerce at version 3.2.1 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured severity thresholds and ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and NVD record on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, HarborGuard surfaces the affected images and supports manual compensating-control workflows such as network-policy isolation and egress filtering.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress/WooCommerce service via HTTP or HTTPS.
AuthenticationNot required
No account or session token of any privilege level is needed; the file download endpoint is accessible to unauthenticated requests.
Victim interactionNot required
The attacker sends a direct request to the vulnerable endpoint with no need for any user on the target site to take any action.
Attack complexityDetail
Exploitation is straightforward and condition-free; no race condition, memory layout knowledge, or special environmental state is required.

Blast Radius

Reads arbitrary files from the server filesystem, including wp-config.php, which contains database credentials and secret keys.
Exposes private application data such as uploaded customer files, internal documents, or backup archives stored within the web root or accessible paths.
Allows credential harvesting that can be used to pivot into the database or other connected services.
Discloses environment and configuration details that assist further attack planning.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-49061 at this time, HarborGuard continuously re-ingests the Patchstack advisory on every feed cycle so that a patched-image rebuild becomes available automatically the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads with no manual intervention required. While waiting for an upstream fix, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict external access to the plugin's file-serving endpoints, egress filtering to limit outbound connections from affected containers, and feature-flag or WAF-rule gating to block requests matching the vulnerable path pattern. All affected images at version 3.2.1 and below are surfaced in the findings dashboard for immediate review.

See how HarborGuard automates this

Affected packages

WPClever / WPC Product Options for WooCommerce
≤ 3.2.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

patchstack.com

Metrics

Get notified