CVE-2026-49072 OPMC CVE debrief

Who should care

Administrators and security teams of WordPress installations using the WooCommerce Anti-Fraud plugin versions <= 7.2.6 should be aware of this vulnerability and take necessary actions to protect their sites.

Technical summary

The CVE-2026-49072 vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating a medium-severity issue. It is categorized under CWE-862. The vulnerability allows unauthenticated broken access control in the WooCommerce Anti-Fraud plugin versions <= 7.2.6.

Defensive priority

medium

Recommended defensive actions

• Update the WooCommerce Anti-Fraud plugin to a version greater than 7.2.6.
• Restrict access to sensitive areas of the WordPress installation.
• Monitor for suspicious activity on the site.
• Implement additional security measures, such as two-factor authentication.
• Regularly review and update plugins and themes.
• Consider using a web application firewall (WAF).
• Keep WordPress core, plugins, and themes up-to-date.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Patchstack. The CVE record was published on June 17, 2026, and last modified on the same day. The vendor and product information are not confirmed, but Patchstack has identified it as a potential issue.

Official resources