WordPress Plugin Vulnerabilities

WPC Product Bundles for WooCommerce < 8.4.6 - Missing Authorization

Description

The WPC Product Bundles for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.4.5. This makes it possible for authenticated attackers, with contributor-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
woo-product-bundle
Fixed in 8.4.6

References

CVE
CVE-2026-32406
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d0693b76-dd6a-4ebc-8384-b7dadb606849

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
hhhai
Verified
No
WPVDB ID
01a4a3b9-6fa2-464c-ae36-2d694edd1c83

Timeline

Publicly Published
2026-02-22 (about 2 months ago)
Added
2026-04-15 (about 28 days ago)
Last Updated
2026-04-15 (about 28 days ago)

Other

Published
Title
Published
2025-01-24
Title
FV Thoughtful Comments < 0.3.6 - Missing Authorization
Published
2026-02-11
Title
PDF for WPForms < 6.3.1 - Missing Authorization
Published
2024-10-21
Title
Smart Manager < 8.46.0 - Missing Authorization
Published
2025-12-18
Title
HomeFix Elementor Portfolio <= 1.0.1 - Missing Authorization
Published
2025-06-19
Title
CRM ERP Business Solution <= 1.13 - Missing Authorization