CVE-2026-11568 Overview
CVE-2026-11568 affects the Product Configurator for WooCommerce WordPress plugin in versions before 1.7.3. The plugin exposes a public AJAX action that returns WooCommerce product data without performing authorization or post-status checks. Unauthenticated attackers can retrieve titles, prices, weights, stock status, and configurator option pricing or SKUs for private and draft products by supplying a product ID. The flaw bypasses WordPress post-visibility controls and exposes non-public product information to anyone on the internet.
Critical Impact
Unauthenticated remote attackers can enumerate private and draft WooCommerce product data, including pricing and SKUs, over the network.
Affected Products
- Product Configurator for WooCommerce WordPress plugin versions prior to 1.7.3
- WordPress sites running WooCommerce with the affected plugin installed
- Sites relying on WordPress post-visibility controls to protect private or draft products
Discovery Timeline
- 2026-07-01 - CVE-2026-11568 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-11568
Vulnerability Analysis
The vulnerability is an unauthenticated information disclosure flaw in a public AJAX endpoint. The plugin registers an AJAX action accessible to unauthenticated visitors through the wp-admin/admin-ajax.php interface. The handler accepts a product ID parameter and returns WooCommerce product data directly to the caller. It does not verify that the requesting user has permission to view the referenced post, and it does not check the post status.
As a result, attackers can iterate through product IDs and harvest metadata for products that site administrators explicitly marked private or draft. Exposed fields include product title, price, weight, stock status, and configurator option pricing and SKUs. The disclosure impacts confidentiality but not integrity or availability.
Root Cause
The root cause is missing authorization and missing post-status validation in a public AJAX handler [Broken Access Control]. The plugin trusts the product ID supplied by the caller and returns data without consulting current_user_can(), capability checks, or the post_status field. WordPress post-visibility rules that normally hide private and draft posts from unauthenticated visitors are not enforced at this custom endpoint.
Attack Vector
Exploitation requires only network access to the target site. An attacker sends a crafted HTTP POST request to admin-ajax.php with the vulnerable action parameter and a chosen product ID. No authentication, session, or user interaction is required. Attackers can script sequential product ID enumeration to bulk-extract catalog data, including unreleased or internal SKUs. For technical details, see the WPScan Vulnerability Analysis.
Detection Methods for CVE-2026-11568
Indicators of Compromise
- Repeated unauthenticated POST requests to /wp-admin/admin-ajax.php referencing the Product Configurator AJAX action
- Sequential or scripted enumeration of product ID values in AJAX request bodies
- Access log entries from a single source IP requesting the AJAX endpoint with high frequency
Detection Strategies
- Inspect web server access logs for unauthenticated requests to admin-ajax.php targeting the plugin's AJAX action
- Correlate response sizes and status codes to identify successful data extraction against non-public product IDs
- Deploy WAF rules that flag high-rate access to the vulnerable AJAX action from unauthenticated sessions
Monitoring Recommendations
- Alert on spikes in admin-ajax.php traffic volume, particularly from single IPs or ASN ranges
- Monitor for user-agent strings associated with scanners such as wpscan, curl, or generic HTTP libraries
- Track successful HTTP 200 responses to unauthenticated AJAX requests that return JSON payloads containing product fields
How to Mitigate CVE-2026-11568
Immediate Actions Required
- Update the Product Configurator for WooCommerce plugin to version 1.7.3 or later on all WordPress sites
- Audit product catalogs for private or draft items that may already have been exposed
- Rotate any SKUs, internal pricing, or product identifiers considered sensitive if exposure is suspected
Patch Information
The vendor addressed the flaw in Product Configurator for WooCommerce version 1.7.3. The fix adds authorization and post-status checks to the AJAX handler so that private and draft products are no longer returned to unauthenticated callers. Site administrators should apply the update through the WordPress plugin manager or WP-CLI. Refer to the WPScan Vulnerability Analysis for the advisory.
Workarounds
- Deactivate the Product Configurator for WooCommerce plugin until the patched version can be installed
- Block or rate-limit unauthenticated requests to the vulnerable AJAX action at the WAF or reverse proxy layer
- Restrict access to admin-ajax.php from untrusted networks where feasible
# Update the plugin using WP-CLI
wp plugin update product-configurator-for-woocommerce --version=1.7.3
wp plugin list | grep product-configurator
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

