Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11364

CVE-2026-11364: WooCommerce Auth Bypass Vulnerability

CVE-2026-11364 is an authentication bypass flaw in Product Specifications for WooCommerce plugin that lets authenticated attackers modify product data. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-11364 Overview

CVE-2026-11364 affects the Product Specifications for WooCommerce plugin for WordPress in versions up to and including 0.8.9. The plugin exposes two AJAX actions, dwps_modify_groups and dwps_modify_attributes, that lack both capability checks and nonce verification. Authenticated attackers with Subscriber-level access can invoke these endpoints to create, edit, and delete arbitrary product specification groups and attributes. The affected taxonomies are spec-group and the plugin's attribute taxonomy. Corruption of these taxonomy terms disrupts business data and the storefront display for shoppers. The weakness is tracked as CWE-862: Missing Authorization.

Critical Impact

Any authenticated WordPress user, including low-privilege Subscribers, can modify or destroy WooCommerce product specification taxonomy data, degrading storefront integrity.

Affected Products

  • Product Specifications for WooCommerce plugin for WordPress, versions <= 0.8.9
  • WordPress sites running WooCommerce with the plugin installed and enabled
  • Sites permitting open user registration (Subscriber role) are at greatest exposure

Discovery Timeline

  • 2026-06-27 - CVE-2026-11364 published to NVD
  • 2026-06-29 - Last updated in NVD database

Technical Details for CVE-2026-11364

Vulnerability Analysis

The vulnerability resides in the __invoke() methods of the AttributeGroupController and AttributeController classes within the plugin's EntityUpdater module. These controllers are wired to the dwps_modify_groups and dwps_modify_attributes AJAX handlers through the plugin's Module class. Neither controller calls current_user_can() to verify the caller holds an administrative capability such as manage_woocommerce or manage_options. Neither controller calls check_ajax_referer() or wp_verify_nonce() to validate an anti-CSRF token. As a result, any authenticated session, including a Subscriber created through open registration, can submit crafted AJAX requests that create, rename, or delete taxonomy terms in spec-group and the attribute taxonomy. The controller source is available in the AttributeController code and the AttributeGroupController code.

Root Cause

The root cause is missing authorization ([CWE-862]) combined with missing request-origin validation. The controllers assume the AJAX endpoint is only reachable by trusted admin UI code, but WordPress's wp_ajax_ hook registers the action for every logged-in user by default. Without a capability check, privilege boundaries collapse to authentication alone.

Attack Vector

An attacker registers or authenticates to the target WordPress site with any role. The attacker sends a POST request to /wp-admin/admin-ajax.php with action=dwps_modify_groups or action=dwps_modify_attributes and controller parameters that trigger create, update, or delete operations. Because no nonce is required, the request succeeds directly and the taxonomy term is modified server-side.

No verified exploit code is published. See the Wordfence advisory for additional context.

Detection Methods for CVE-2026-11364

Indicators of Compromise

  • POST requests to /wp-admin/admin-ajax.php containing action=dwps_modify_groups or action=dwps_modify_attributes originating from Subscriber or Customer accounts
  • Unexpected creation, renaming, or deletion of terms in the spec-group taxonomy or the plugin's attribute taxonomy
  • Storefront product pages missing specification data or displaying attacker-controlled labels

Detection Strategies

  • Enable WordPress audit logging for taxonomy term create, edit, and delete events and correlate them with the acting user role
  • Alert on admin-ajax.php requests where the action parameter matches dwps_modify_* and the authenticated user lacks the manage_woocommerce capability
  • Compare current spec-group and attribute term counts against a known-good baseline on a scheduled basis

Monitoring Recommendations

  • Forward WordPress and web server access logs to a centralized SIEM for role-aware query rules against admin-ajax.php
  • Monitor sudden spikes in Subscriber-role registrations, which often precede low-privilege exploitation attempts
  • Track database changes to the wp_terms, wp_term_taxonomy, and wp_termmeta tables outside of scheduled administrative windows

How to Mitigate CVE-2026-11364

Immediate Actions Required

  • Update the Product Specifications for WooCommerce plugin to a version newer than 0.8.9 once released by the maintainer
  • Audit existing WordPress accounts and remove or downgrade unused Subscriber and Customer accounts
  • Review spec-group and attribute taxonomy terms for unauthorized modifications and restore from backup where needed

Patch Information

At the time of publication, the fix is tracked in the plugin's WordPress.org repository. Review the WordPress commit changeset and upgrade to the first version that introduces capability checks and nonce verification in the AttributeController and AttributeGroupController classes.

Workarounds

  • Disable the Product Specifications for WooCommerce plugin until a patched version is installed
  • Disable open user registration by unchecking Settings → General → "Anyone can register" to reduce the pool of authenticated attackers
  • Restrict /wp-admin/admin-ajax.php access with a web application firewall rule that blocks the dwps_modify_groups and dwps_modify_attributes actions for non-administrator sessions
bash
# Example WAF rule (ModSecurity) blocking the vulnerable AJAX actions
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
  "chain,phase:2,deny,status:403,id:1026113640,\
  msg:'Block CVE-2026-11364 Product Specifications AJAX abuse'"
  SecRule ARGS:action "@rx ^dwps_modify_(groups|attributes)$"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.