{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27046", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:18.876Z", "datePublished": "2026-03-25T16:14:53.119Z", "dateUpdated": "2026-04-28T16:14:59.910Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woocustomizer", "product": "StoreCustomizer", "vendor": "Kaira", "versions": [{"changes": [{"at": "2.6.5", "status": "unaffected"}], "lessThanOrEqual": "2.6.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:25.321Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects StoreCustomizer: from n/a through <= 2.6.3.</p>"}], "value": "Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects StoreCustomizer: from n/a through <= 2.6.3."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.910Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woocustomizer/vulnerability/wordpress-storecustomizer-plugin-2-6-3-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress StoreCustomizer plugin <= 2.6.3 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T16:43:34.562706Z", "id": "CVE-2026-27046", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:49:58.527Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27046", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:43:34.562706Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:31:46.585Z"}}], "cna": {"title": "WordPress StoreCustomizer plugin <= 2.6.3 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "PPzzAArr | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Kaira", "product": "StoreCustomizer", "versions": [{"status": "affected", "changes": [{"at": "2.6.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.6.3"}], "packageName": "woocustomizer", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:25.321Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/woocustomizer/vulnerability/wordpress-storecustomizer-plugin-2-6-3-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects StoreCustomizer: from n/a through <= 2.6.3.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects StoreCustomizer: from n/a through <= 2.6.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:10.348Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27046", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:49:58.527Z", "dateReserved": "2026-02-17T13:23:18.876Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:53.119Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Kaira StoreCustomizer woocustomizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects StoreCustomizer: from n/a through <= 2.6.3."}, {"lang": "es", "value": "Vulnerabilidad de Autorizaci\u00f3n Faltante en Kaira StoreCustomizer woocustomizer permite Explotar Niveles de Seguridad de Control de Acceso Incorrectamente Configurados. Este problema afecta a StoreCustomizer: desde n/a hasta &lt;= 2.6.3."}], "id": "CVE-2026-27046", "lastModified": "2026-04-28T16:16:10.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:53.853", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woocustomizer/vulnerability/wordpress-storecustomizer-plugin-2-6-3-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "StoreCustomizer", "source": "cna", "vendor": "Kaira"}, "product": "storecustomizer", "vendor": "kaira"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T18:58:10.066086+00:00", "value": {"mitigation_remediation": ["Upgrade StoreCustomizer to the latest release after version 2.6.3 and verify the patch resolves the authorization issue.", "Take a full backup of the website and database before applying the update to enable rollback if necessary.", "After updating, confirm that privileged actions in the plugin require the appropriate user role and that the access control bypass no longer functions.", "If an immediate update cannot be performed, deactivate the StoreCustomizer plugin until a patched version is released to prevent potential exploitation."], "summary": {"action": "Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Kaira StoreCustomizer plugin for WordPress in all releases up to and including version 2.6.3. The advisory does not confirm whether newer releases contain a fix; therefore, the status of versions beyond 2.6.3 remains uncertain and should be evaluated individually.", "description_and_impact": "The StoreCustomizer plugin for WordPress implements StoreCustomizer woocustomizer accesses lacking proper authorization checks, enabling administrators or unauthenticated users to invoke privileged actions such as modifying store settings or viewing sensitive data without the required permissions. This flaw is categorized as a missing authorization vulnerability (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation currently, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves crafting HTTP requests that bypass the missing authorization check, allowing an attacker to perform administrative actions over the web interface. If such requests are executed, the attacker could change store configuration, access confidential information, or disrupt service availability."}}}}, "created": "2026-03-25T21:44:10.668067+00:00", "updated": "2026-03-27T09:31:32.141023+00:00", "vendors": ["kaira", "kaira$PRODUCT$storecustomizer", "wordpress", "wordpress$PRODUCT$wordpress"]}