CVE-2026-49110: WordPress Upsell Order Bump Offer for WooCommerce plugin <= 3.1.4 - Price Manipulation vulnerability
Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a broken authentication vulnerability in the Upsell Order Bump Offer for WooCommerce WordPress plugin, affecting versions 3.1.4 and earlier. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation allows an attacker to manipulate product prices during checkout, directly tampering with order data. No fix has been published yet; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images containing the affected plugin. Coverage extends to custom-built WordPress and WooCommerce container images alongside images pulled from public registries.
AvailableHarborGuard is capable of scoring this CVE at 7.5 HIGH (CVSS v3.1) and weighting it against each environment's compliance policy to prioritize remediation routing. Findings can be directed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no upstream fix has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a fix version is released. In the meantime, customers can apply compensating controls such as network-policy isolation or web application firewall rules to restrict access to the affected checkout endpoints.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning any remote attacker who can reach the WooCommerce store can send a malicious request.
- AuthenticationNot required
No account or credentials of any kind are needed; the vulnerability is exploitable by an anonymous, unauthenticated HTTP request.
- Victim interactionNot required
The attacker does not need to trick or involve any user; the exploit is entirely server-side and requires no victim action.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special conditions, race requirements, or environmental dependencies on the attacker.
Blast Radius
- An attacker can manipulate the price of upsell order bump items at checkout, paying less than the intended amount for products.
- Order integrity across any WooCommerce transaction that includes an upsell bump offer is undermined, affecting revenue and financial records.
- No confidential data is directly disclosed and no service disruption occurs, but persisted order rows in the database reflect the attacker-supplied, fraudulent pricing.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-49110 is active and matches any customer image containing the Upsell Order Bump Offer for WooCommerce plugin at version 3.1.4 or earlier. Because no upstream fix exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a fix version is published. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and a PR opened against affected workloads with no manual steps required. While awaiting a patch, recommended compensating controls include isolating the WooCommerce container behind a web application firewall rule that validates price parameters server-side, applying strict network policy to limit inbound HTTP access to known trusted sources, and reviewing recent order records for anomalous pricing discrepancies that may indicate prior exploitation.
- WP Swings / Upsell Order Bump Offer for WooCommerce≤ 3.1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N