{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27066", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:42.768Z", "datePublished": "2026-02-19T08:27:11.001Z", "dateUpdated": "2026-04-28T16:15:00.856Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "live-sales-notifications-for-woocommerce", "product": "Live sales notification for WooCommerce", "vendor": "PI Web Solution", "versions": [{"lessThanOrEqual": "2.3.60", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:31.180Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Live sales notification for WooCommerce: from n/a through <= 2.3.60.</p>"}], "value": "Missing Authorization vulnerability in PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live sales notification for WooCommerce: from n/a through <= 2.3.60."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:00.856Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/live-sales-notifications-for-woocommerce/vulnerability/wordpress-live-sales-notification-for-woocommerce-plugin-2-3-44-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Live sales notification for WooCommerce plugin <= 2.3.60 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T16:53:48.348027Z", "id": "CVE-2026-27066", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:51:53.677Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27066", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T16:53:48.348027Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T16:53:44.208Z"}}], "cna": {"title": "WordPress Live sales notification for WooCommerce plugin <= 2.3.61 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jitlada | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PI Web Solution", "product": "Live sales notification for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.3.61"}], "packageName": "live-sales-notifications-for-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:54.109Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/live-sales-notifications-for-woocommerce/vulnerability/wordpress-live-sales-notification-for-woocommerce-plugin-2-3-44-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live sales notification for WooCommerce: from n/a through <= 2.3.61.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Live sales notification for WooCommerce: from n/a through <= 2.3.61.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:50.651Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27066", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:51:53.677Z", "dateReserved": "2026-02-17T13:23:42.768Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:27:11.001Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live sales notification for WooCommerce: from n/a through <= 2.3.60."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en PI Web Solution Live sales notification para WooCommerce live-sales-notifications-for-woocommerce permite explotar niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Live sales notification for WooCommerce: desde n/a hasta &lt;= 2.3.46."}], "id": "CVE-2026-27066", "lastModified": "2026-04-28T19:37:12.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-19T09:16:27.360", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/live-sales-notifications-for-woocommerce/vulnerability/wordpress-live-sales-notification-for-woocommerce-plugin-2-3-44-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.46]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Live sales notification for WooCommerce", "source": "cna", "vendor": "PI Web Solution"}, "product": "live_sales_notification_for_woocommerce", "vendor": "pi_web_solution"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-29T02:31:45.142283+00:00", "value": {"mitigation_remediation": ["Upgrade the Live sales notification for WooCommerce plugin to a version newer than 2.3.60.", "Restrict direct access to the WordPress administrative pages that expose sale notifications, limiting them to users with appropriate roles.", "Enforce WordPress role\u2011based access controls so that only authorized administrators can view sale notification data."], "summary": {"action": "Patch", "impact": "Unauthorized access to notification data"}, "threat_synthesis": {"affected_systems": "WordPress sites that install PI Web Solution Live sales notification for WooCommerce in any version up to and including 2.3.60 are vulnerable. The vulnerability affects all releases of the plugin from the earliest mentioned build through 2.3.60.", "description_and_impact": "The vulnerability is a missing authorization issue in PI Web Solution Live sales notification for WooCommerce. It allows actors to bypass the plugin\u2019s configured access control security levels and retrieve sale notifications. This can result in unauthorized disclosure of notification data stored by the plugin.", "risk_and_exploitability": "Based on the CVSS base score of 5.3, the vulnerability represents a moderate risk. The EPSS score is less than 1\u202f%, indicating a low probability of exploitation, and it is not listed in CISA\u2019s KEV catalog. The likely attack vector is via the WordPress administrative interface or through an authenticated user with insufficient role restrictions, allowing read access to sale notification data that should otherwise be protected."}}}}, "created": "2026-02-20T10:08:02.376192+00:00", "updated": "2026-04-29T02:45:35.961004+00:00", "vendors": ["pi_web_solution", "pi_web_solution$PRODUCT$live_sales_notification_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}