How is CVE-2026-52694 exploited?

Network reachability (required): The vulnerable service must be reachable over the network; an attacker can send crafted requests from anywhere on the internet without needing a foothold on the host. Authentication (not-required): No account or session credential of any kind is needed; the vulnerable endpoint is accessible to unauthenticated requests. Victim interaction (not-required): Exploitation is fully passive from the victim's perspective and requires no action from any user of the affected site. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

What is the impact of CVE-2026-52694?

An attacker reads sensitive data handled by the plugin, which in a WooCommerce context can include customer signature images and the order records they are attached to. No write or delete capability is implied by the vulnerability; data integrity and service availability are not directly affected by this flaw. Exposed signature records may contain personally identifiable information, creating compliance obligations under privacy regulations for affected site operators.

Back to search

HIGHCVE-2026-52694Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-52694: WordPress Signature Add-On for WooCommerce plugin <= 2.0 - Sensitive Data Exposure vulnerability

Q: What is CVE-2026-52694?

This is a sensitive data exposure vulnerability in the Signature Add-On for WooCommerce WordPress plugin at version 2.0 and below. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially accessible to any remote attacker. Successful exploitation allows an attacker to read sensitive data stored or processed by the plugin, such as customer signature records associated with WooCommerce orders. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-52694 patched?

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release.

Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce <= 2.0 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a sensitive data exposure vulnerability in the Signature Add-On for WooCommerce WordPress plugin at version 2.0 and below. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially accessible to any remote attacker. Successful exploitation allows an attacker to read sensitive data stored or processed by the plugin, such as customer signature records associated with WooCommerce orders. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-52694 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images, including custom-built WordPress or WooCommerce images. Any image found to carry an affected version of the Signature Add-On for WooCommerce plugin at 2.0 or below is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and is capable of weighting that score against each customer environment's compliance policy to reflect actual exposure context. Triage findings are routable to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable service must be reachable over the network; an attacker can send crafted requests from anywhere on the internet without needing a foothold on the host.
AuthenticationNot required
No account or session credential of any kind is needed; the vulnerable endpoint is accessible to unauthenticated requests.
Victim interactionNot required
Exploitation is fully passive from the victim's perspective and requires no action from any user of the affected site.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

Blast Radius

An attacker reads sensitive data handled by the plugin, which in a WooCommerce context can include customer signature images and the order records they are attached to.
No write or delete capability is implied by the vulnerability; data integrity and service availability are not directly affected by this flaw.
Exposed signature records may contain personally identifiable information, creating compliance obligations under privacy regulations for affected site operators.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active and matches against any customer image carrying the Signature Add-On for WooCommerce plugin at version 2.0 or below, including images built from custom WordPress base layers. Because no upstream fix has been published, automated patched-image rebuilds are not yet possible. HarborGuard re-evaluates the advisory on every ingest cycle and will trigger the rebuild-and-PR flow for customers with auto-remediation enabled as soon as a fix version is released. In the meantime, compensating controls worth considering include network-policy rules that restrict unauthenticated external access to the affected plugin endpoints, web application firewall rules targeting the exposed route, and egress filtering to limit what the plugin can reach if further exploitation paths emerge. The advisory will remain open in the HarborGuard feed with automatic status updates as the upstream maintainer responds.

See how HarborGuard automates this

Affected packages

WP E-Signature / Signature Add-On for WooCommerce
≤ 2.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

patchstack.com

Metrics

Get notified