CVE-2026-49059 Facebook CVE debrief

Who should care

WordPress site administrators running Facebook for WooCommerce plugin versions 3.7.0 or earlier; e-commerce security teams monitoring plugin supply chain risks; incident responders investigating phishing campaigns leveraging trusted brand domains

Technical summary

The Facebook for WooCommerce plugin fails to properly sanitize or validate URL redirect parameters, allowing attackers to craft links that redirect authenticated or unauthenticated users to arbitrary external domains. This vulnerability (CWE-601) is exploitable without authentication (AV:N/AC:L/PR:N) but requires user interaction (UI:R). The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N yields a base score of 4.7, reflecting limited confidentiality impact through phishing rather than direct system compromise. The scope changed (S:C) indicates impact beyond the vulnerable component to the redirected destination.

Defensive priority

medium

Recommended defensive actions

• Upgrade Facebook for WooCommerce plugin to version 3.7.1 or later if available; verify patch availability through official WooCommerce or Facebook channels
• Implement server-side validation for all redirect parameters, enforcing strict allowlists of permitted destination domains
• Configure web application firewall rules to detect and block requests with suspicious redirect parameters containing external URLs
• Review access logs for patterns of redirect exploitation, particularly requests with manipulated 'redirect_to' or similar parameters targeting external domains
• Educate users to verify URL destinations before authenticating or entering credentials on WooCommerce checkout flows

Evidence notes

Vulnerability disclosed via Patchstack and indexed in NVD with CVSS 3.1 score of 4.7 (MEDIUM). CWE-601 (URL Redirection to Untrusted Site) classified as primary weakness. Affected versions confirmed as through 3.7.0 inclusive. NVD status marked as 'Deferred' at time of source capture.

Official resources