CVE-2026-11364 Overview
CVE-2026-11364 affects the Product Specifications for WooCommerce plugin for WordPress in versions up to and including 0.8.9. The plugin exposes two AJAX actions, dwps_modify_groups and dwps_modify_attributes, that lack both capability checks and nonce verification. Authenticated attackers with Subscriber-level access can invoke these endpoints to create, edit, and delete arbitrary product specification groups and attributes. The affected taxonomies are spec-group and the plugin's attribute taxonomy. Corruption of these taxonomy terms disrupts business data and the storefront display for shoppers. The weakness is tracked as CWE-862: Missing Authorization.
Critical Impact
Any authenticated WordPress user, including low-privilege Subscribers, can modify or destroy WooCommerce product specification taxonomy data, degrading storefront integrity.
Affected Products
- Product Specifications for WooCommerce plugin for WordPress, versions <= 0.8.9
- WordPress sites running WooCommerce with the plugin installed and enabled
- Sites permitting open user registration (Subscriber role) are at greatest exposure
Discovery Timeline
- 2026-06-27 - CVE-2026-11364 published to NVD
- 2026-06-29 - Last updated in NVD database
Technical Details for CVE-2026-11364
Vulnerability Analysis
The vulnerability resides in the __invoke() methods of the AttributeGroupController and AttributeController classes within the plugin's EntityUpdater module. These controllers are wired to the dwps_modify_groups and dwps_modify_attributes AJAX handlers through the plugin's Module class. Neither controller calls current_user_can() to verify the caller holds an administrative capability such as manage_woocommerce or manage_options. Neither controller calls check_ajax_referer() or wp_verify_nonce() to validate an anti-CSRF token. As a result, any authenticated session, including a Subscriber created through open registration, can submit crafted AJAX requests that create, rename, or delete taxonomy terms in spec-group and the attribute taxonomy. The controller source is available in the AttributeController code and the AttributeGroupController code.
Root Cause
The root cause is missing authorization ([CWE-862]) combined with missing request-origin validation. The controllers assume the AJAX endpoint is only reachable by trusted admin UI code, but WordPress's wp_ajax_ hook registers the action for every logged-in user by default. Without a capability check, privilege boundaries collapse to authentication alone.
Attack Vector
An attacker registers or authenticates to the target WordPress site with any role. The attacker sends a POST request to /wp-admin/admin-ajax.php with action=dwps_modify_groups or action=dwps_modify_attributes and controller parameters that trigger create, update, or delete operations. Because no nonce is required, the request succeeds directly and the taxonomy term is modified server-side.
No verified exploit code is published. See the Wordfence advisory for additional context.
Detection Methods for CVE-2026-11364
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=dwps_modify_groups or action=dwps_modify_attributes originating from Subscriber or Customer accounts
- Unexpected creation, renaming, or deletion of terms in the spec-group taxonomy or the plugin's attribute taxonomy
- Storefront product pages missing specification data or displaying attacker-controlled labels
Detection Strategies
- Enable WordPress audit logging for taxonomy term create, edit, and delete events and correlate them with the acting user role
- Alert on admin-ajax.php requests where the action parameter matches dwps_modify_* and the authenticated user lacks the manage_woocommerce capability
- Compare current spec-group and attribute term counts against a known-good baseline on a scheduled basis
Monitoring Recommendations
- Forward WordPress and web server access logs to a centralized SIEM for role-aware query rules against admin-ajax.php
- Monitor sudden spikes in Subscriber-role registrations, which often precede low-privilege exploitation attempts
- Track database changes to the wp_terms, wp_term_taxonomy, and wp_termmeta tables outside of scheduled administrative windows
How to Mitigate CVE-2026-11364
Immediate Actions Required
- Update the Product Specifications for WooCommerce plugin to a version newer than 0.8.9 once released by the maintainer
- Audit existing WordPress accounts and remove or downgrade unused Subscriber and Customer accounts
- Review spec-group and attribute taxonomy terms for unauthorized modifications and restore from backup where needed
Patch Information
At the time of publication, the fix is tracked in the plugin's WordPress.org repository. Review the WordPress commit changeset and upgrade to the first version that introduces capability checks and nonce verification in the AttributeController and AttributeGroupController classes.
Workarounds
- Disable the Product Specifications for WooCommerce plugin until a patched version is installed
- Disable open user registration by unchecking Settings → General → "Anyone can register" to reduce the pool of authenticated attackers
- Restrict /wp-admin/admin-ajax.php access with a web application firewall rule that blocks the dwps_modify_groups and dwps_modify_attributes actions for non-administrator sessions
# Example WAF rule (ModSecurity) blocking the vulnerable AJAX actions
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1026113640,\
msg:'Block CVE-2026-11364 Product Specifications AJAX abuse'"
SecRule ARGS:action "@rx ^dwps_modify_(groups|attributes)$"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

