What the vulnerability does
01Description
The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.
Explanation of Vulnerability in Simple Terms
02Summary
Otter Blocks for WordPress contains an improper access control vulnerability affecting versions up to 3.1.4. An unauthenticated attacker can read sensitive data from the site without requiring user interaction. The vulnerability stems from insufficient permission checks on a data-retrieval function. Site administrators should update to a version newer than 3.1.4 as soon as possible.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the site without authentication or user interaction.
Potential impact on your site
04Site Impact
Sensitive site data may be exposed to unauthenticated visitors, including information not intended for public access.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user action required.
Key dates
06Disclosure timeline
April 30, 2026
CVE published
May 1, 2026
Record updated
