WordPress Plugin Vulnerabilities

Otter Blocks < 3.1.5 - Unauthenticated Purchase Verification Bypass via Forged Cookie

Description

The plugin is vulnerable to Purchase Verification Bypass due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.

Affects Plugins

Plugin icon
otter-blocks
Fixed in 3.1.5

References

CVE
CVE-2026-2892
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3443950f-1f94-4e0b-8906-1a9b9602a746

Classification

Type
SPOOFING
OWASP top 10
A5: Broken Access Control
CWE
CWE-290
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Drew Webber (mcdruid)
Verified
No
WPVDB ID
a3bb4c0c-48a8-4c85-a0ae-d36ab241159c

Timeline

Publicly Published
2026-04-29 (about 16 days ago)
Added
2026-04-30 (about 15 days ago)
Last Updated
2026-04-30 (about 15 days ago)

Other

Published
Title
Published
2024-01-05
Title
Wp Ultimate Review < 2.3.7 - IP Spoofing
Published
2023-12-27
Title
Rate my Post < 3.4.3 - IP Spoofing
Published
2023-11-06
Title
Security & Malware scan by CleanTalk < 2.121 - IP Spoofing
Published
2023-12-27
Title
Branda < 3.4.15 - IP Spoofing
Published
2024-02-12
Title
Defender Security < 4.4.2 - IP Address Spoofing