CVE-2026-11568

CVE-2026-11568: Product Configurator for WooCommerce < 1.7.3 - Unauthenticated Private/Draft Product Data Disclosure via pc_get_data

Vendor Unknown
Product Product Configurator for WooCommerce
Published July 1, 2026
Last update July 1, 2026

CVSS base score

What the vulnerability does

01Description

The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data (title, price, weight, stock status, and configurator option pricing/SKUs) of private and draft, non-public products by supplying the product ID. WordPress post-visibility controls are bypassed.

Key dates

02Disclosure timeline

July 1, 2026 CVE published