WP-Safety
CVE-2026-32457

Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.18 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.6.19
Patched in
9d
Time to patch

Description

The Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.6.18. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.6.18
PublishedMarch 11, 2026
Last updatedMarch 19, 2026
Affected pluginadvanced-product-fields-for-woocommerce

What Changed in the Fix

Changes introduced in v1.6.19

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.6.18
Browse source Download .zip
Patched v1.6.19
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-32457 ## 1. Vulnerability Summary The **Advanced Product Fields (Product Addons) for WooCommerce** plugin (<= 1.6.18) contains a missing authorization vulnerability. The `Admin_Controller` registers several AJAX actions intended for administrative product and …

Show full research plan

Exploitation Research Plan: CVE-2026-32457

1. Vulnerability Summary

The Advanced Product Fields (Product Addons) for WooCommerce plugin (<= 1.6.18) contains a missing authorization vulnerability. The Admin_Controller registers several AJAX actions intended for administrative product and term searching. These actions, specifically wapf_search_products, wapf_search_tags, wapf_search_cat, and wapf_search_variations, are registered without sufficient capability checks in the handler functions. Furthermore, if these are registered as nopriv (unauthenticated) to support frontend features like "Child Product" selection, they allow unauthenticated users to query potentially sensitive product data.

The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N suggests a Low Integrity impact. This indicates the vulnerability allows an unauthorized action that modifies state, such as duplicating field groups via the maybe_duplicate method if it is triggered without a capability check during an early hook like admin_init.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (AJAX) or /wp-admin/admin-post.php (for admin_init hooks).
  • Vulnerable Actions:
    • wapf_search_products (AJAX)
    • `wap
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/bd1cc121-65c2-4e6f-8b07-91fe75bca9db?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database