PatchSiren cyber security CVE debrief
CVE-2026-49061 WPClever CVE debrief
A high-severity vulnerability, CVE-2026-49061, with a CVSS score of 7.5, was published on June 15, 2026, affecting WPC Product Options for WooCommerce versions up to 3.2.1. This vulnerability allows unauthenticated arbitrary file downloads, potentially leading to sensitive information disclosure.
- Vendor
- WPClever
- Product
- WPC Product Options for WooCommerce
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of WPC Product Options for WooCommerce, especially those with versions prior to an unspecified patched version, should be aware of this vulnerability and take necessary actions to mitigate potential risks.
Technical summary
The vulnerability, categorized under CWE-22, allows attackers to download arbitrary files without authentication, potentially leading to sensitive information disclosure. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
Defensive priority
High
Recommended defensive actions
- Update WPC Product Options for WooCommerce to a patched version if available.
- Review and restrict file access permissions to prevent unauthorized file downloads.
- Monitor for suspicious file download activities.
Evidence notes
Evidence suggests that this vulnerability was discovered and reported by Patchstack, as indicated by the reference link provided.
Official resources
-
CVE-2026-49061 CVE record
CVE.org
-
CVE-2026-49061 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-49061 was published on June 15, 2026, and last modified on the same day.