PatchSiren cyber security CVE debrief

CVE-2026-48971 WebToffee CVE debrief

A Missing Authorization vulnerability (CWE-862) in the WebToffee Product Import Export for WooCommerce WordPress plugin allows authenticated attackers with low privileges to exploit incorrectly configured access control security levels. The vulnerability affects all versions from n/a through 2.5.6. The issue was published to the CVE List on 2026-05-27 and carries a CVSS 3.1 score of 4.3 (Medium severity), with an attack vector of Network, Low attack complexity, Low privileges required, and no user interaction needed, resulting in Low confidentiality impact. The NVD entry currently shows a status of Deferred. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA KEV.

Vendor: WebToffee
Product: Product Import Export for WooCommerce
CVSS: MEDIUM 4.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

WordPress site administrators using WebToffee Product Import Export for WooCommerce plugin versions 2.5.6 or earlier; e-commerce security teams managing WooCommerce deployments; WordPress security monitoring services

Technical summary

The Product Import Export for WooCommerce plugin by WebToffee fails to properly enforce authorization checks on functionality related to product import and export operations. An attacker with low-privileged authenticated access can bypass intended access controls, potentially allowing unauthorized access to product data or manipulation of import/export processes. The vulnerability stems from broken access control implementation (CWE-862) rather than authentication bypass.

Defensive priority

medium

Recommended defensive actions

Upgrade Product Import Export for WooCommerce to a version newer than 2.5.6 when available
Review WordPress user role permissions to enforce principle of least privilege
Monitor access logs for unauthorized product import/export operations
Apply Web Application Firewall rules to restrict access to plugin administrative endpoints if patching is delayed
Verify plugin file integrity and check for unauthorized modifications

Evidence notes

Vulnerability identified by Patchstack ([email protected]) and submitted to CVE. CPE criteria not yet assigned in NVD. Vendor attribution marked as low confidence requiring review due to 'Unknown Vendor' classification in source data.

Official resources

CVE-2026-48971 CVE record
CVE.org
CVE-2026-48971 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected]

2026-05-27