{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24553", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:51.715Z", "datePublished": "2026-01-23T14:28:53.445Z", "dateUpdated": "2026-04-28T16:14:49.201Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers", "product": "Fraud Prevention For Woocommerce", "vendor": "Dotstore", "versions": [{"changes": [{"at": "2.3.3", "status": "unaffected"}], "lessThanOrEqual": "2.3.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:42.960Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Retrieve Embedded Sensitive Data.<p>This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.2.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Retrieve Embedded Sensitive Data.This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.2."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.201Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers/vulnerability/wordpress-fraud-prevention-for-woocommerce-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Fraud Prevention For Woocommerce plugin <= 2.3.2 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T17:43:15.429423Z", "id": "CVE-2026-24553", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:22:32.367Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24553", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T17:43:15.429423Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T17:43:08.837Z"}}], "cna": {"title": "WordPress Fraud Prevention For Woocommerce plugin <= 2.3.2 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jarno Vos (jrn5151) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dotstore", "product": "Fraud Prevention For Woocommerce", "versions": [{"status": "affected", "changes": [{"at": "2.3.3", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.3.2"}], "packageName": "woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:21.989Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers/vulnerability/wordpress-fraud-prevention-for-woocommerce-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Retrieve Embedded Sensitive Data.This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.2.", "supportingMedia": [{"type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Retrieve Embedded Sensitive Data.<p>This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:44.863Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24553", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:22:32.367Z", "dateReserved": "2026-01-23T12:31:51.715Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:53.445Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Retrieve Embedded Sensitive Data.This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.2."}, {"lang": "es", "value": "Vulnerabilidad de Exposici\u00f3n de Informaci\u00f3n Sensible del Sistema a una Esfera de Control No Autorizada en Dotstore Fraud Prevention para Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers permite Recuperar Datos Sensibles Incrustados. Este problema afecta a Fraud Prevention para Woocommerce: desde n/a hasta &lt;= 2.3.1."}], "id": "CVE-2026-24553", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-23T15:16:11.890", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers/vulnerability/wordpress-fraud-prevention-for-woocommerce-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:46:35.998353+00:00", "value": {"mitigation_remediation": ["Update the Fraud Prevention For Woocommerce plugin to the latest available version (2.3.3 or later) to close the data exposure path.", "If the plugin is not required, uninstall or completely disable it to eliminate the vulnerable code from the site.", "Apply standard WordPress security hardening: enforce strong passwords, restrict admin access to trusted IPs, and limit roles to only those necessary to manage the site."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Fraud Prevention For Woocommerce plugin developed by Dotstore, specifically all releases up to and including version 2.3.2. Users running any of these versions on a WordPress site are vulnerable until the plugin is updated.", "description_and_impact": "The identified flaw allows an attacker to retrieve embedded sensitive data from the WordPress Fraud Prevention For Woocommerce plugin. The exposure jeopardizes the confidentiality of credentials and configuration information that may be stored by the plugin, leading to potential compromise of the entire WordPress installation. The weakness is classified as CWE-497, indicating that sensitive data can be read without proper access controls.", "risk_and_exploitability": "With a CVSS score of 4.3 the issue is considered moderate and the EPSS score is below 1%, indicating a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to obtain administrative access to the WordPress backend or exploit other authenticated paths that allow interaction with the plugin\u2019s embedded data, since no unauthenticated access is reported."}}}}, "created": "2026-01-26T11:53:31.445582+00:00", "updated": "2026-04-16T02:00:12.319675+00:00", "vendors": ["dotstore", "dotstore$PRODUCT$fraud_prevention_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}