What the vulnerability does
01Description
The Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.17 via the 'wqv_popup_content' AJAX endpoint due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from private products that they should not have access to.
Explanation of Vulnerability in Simple Terms
02Summary
The Quick View for WooCommerce plugin through version 2.2.17 exposes sensitive information to unauthenticated attackers over the network. The vulnerability allows unauthorized access to data that should be restricted, without requiring user interaction. Site administrators should update to a version newer than 2.2.17 to mitigate this exposure.
What an attacker can do
03Attacker Capabilities
Read sensitive information from the plugin without authentication.
Potential impact on your site
04Site Impact
Customer or product data may be exposed to anyone on the internet without needing to log in.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 27, 2025
CVE published
April 8, 2026
Record updated