How is CVE-2026-56027 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from any internet-connected host without requiring local or physical access. Authentication (required): A low-privilege account (such as a standard WooCommerce customer account) is sufficient; no administrative credentials are needed. Victim interaction (not-required): The attacker does not need to trick or involve any other user to complete the exploit. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

What is the impact of CVE-2026-56027?

An attacker uploads a malicious file (such as a PHP web shell) to the server and executes arbitrary operating system commands. All data stored in the WordPress database, including customer records, order details, and session tokens, becomes readable. An attacker can modify or delete database rows, plugin files, and uploaded content, corrupting site integrity. The attacker can crash or deny service to the WordPress application by overwriting critical files or exhausting server resources.

Back to search

CRITICALCVE-2026-56027Published 2026-06-26Modified 2026-06-26CNA Patchstack

CVE-2026-56027: WordPress Booster for WooCommerce plugin <= 8.0.1 - Arbitrary File Upload vulnerability

Q: What is CVE-2026-56027?

An arbitrary file upload vulnerability affects the Booster for WooCommerce WordPress plugin at version 8.0.1 and earlier. The flaw is reachable over the network and requires only a low-privilege (customer-level) account, with no additional user interaction needed. Successful exploitation allows an attacker to upload malicious files to the server, enabling remote code execution, full data disclosure, and complete integrity compromise of the affected environment. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

Q: Is CVE-2026-56027 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Pluggabl ships a remediated release. In the interim, customers with compensating-control policies can use HarborGuard network-policy recommendations to restrict inbound access to the affected plugin endpoint while the advisory remains open.

Customer Arbitrary File Upload in Booster for WooCommerce <= 8.0.1 versions.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file upload vulnerability affects the Booster for WooCommerce WordPress plugin at version 8.0.1 and earlier. The flaw is reachable over the network and requires only a low-privilege (customer-level) account, with no additional user interaction needed. Successful exploitation allows an attacker to upload malicious files to the server, enabling remote code execution, full data disclosure, and complete integrity compromise of the affected environment. No upstream fix has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built images that bundle WordPress or WooCommerce plugin stacks. Any image carrying Booster for WooCommerce at or below version 8.0.1 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 9.9 Critical and is capable of weighting that score against each customer environment's compliance policy to prioritize routing. Triage notifications are delivered to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Pluggabl ships a remediated release. In the interim, customers with compensating-control policies can use HarborGuard network-policy recommendations to restrict inbound access to the affected plugin endpoint while the advisory remains open.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from any internet-connected host without requiring local or physical access.
AuthenticationRequired
A low-privilege account (such as a standard WooCommerce customer account) is sufficient; no administrative credentials are needed.
Victim interactionNot required
The attacker does not need to trick or involve any other user to complete the exploit.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

Blast Radius

An attacker uploads a malicious file (such as a PHP web shell) to the server and executes arbitrary operating system commands.
All data stored in the WordPress database, including customer records, order details, and session tokens, becomes readable.
An attacker can modify or delete database rows, plugin files, and uploaded content, corrupting site integrity.
The attacker can crash or deny service to the WordPress application by overwriting critical files or exhausting server resources.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously because no upstream fix has been published for Booster for WooCommerce at or below 8.0.1. Every ingest cycle, HarborGuard re-checks the Patchstack advisory and will automatically trigger a patched-image rebuild for affected environments the moment a fix version is released. While the advisory remains open, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations, including restricting unauthenticated and low-privilege file upload routes at the ingress or WAF layer, and using feature-flag gating to disable the affected customer upload functionality until a patch is available. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention once an upstream fix is confirmed.

See how HarborGuard automates this

Affected packages

Pluggabl / Booster for WooCommerce
≤ 8.0.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified