Attack Vectors

CVE-2026-27046 affects StoreCustomizer – A plugin to Customize all WooCommerce Pages (slug: woocustomizer) in versions <= 2.6.3. This is a Medium severity issue (CVSS 4.3, vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

The attack scenario requires a user to be logged in with at least subscriber-level access. In practical business terms, this can include legitimate customers with accounts, partners, contractors, or anyone who obtains low-level credentials through password reuse, phishing, or a compromised endpoint.

Because this is a network-reachable issue and does not require user interaction (per the CVSS vector), it can be exploited remotely once an attacker has any authenticated access.

Security Weakness

The vulnerability is caused by a missing authorization (capability) check on a plugin function in StoreCustomizer versions up to and including 2.6.3. In short: the plugin does not adequately confirm that the logged-in user is allowed to perform the action being requested.

This type of weakness is especially relevant for WooCommerce sites where many people may have basic accounts, increasing the number of potential entry points if even one low-privilege account is abused.

Technical or Business Impacts

The known impact is that an authenticated attacker (subscriber and above) may be able to perform an unauthorized action. While the public advisory describes the issue at a high level, the business risk is clear: actions performed outside of intended roles can lead to unexpected storefront changes, operational disruption, and loss of trust if customers encounter altered purchasing experiences.

For marketing, brand, and revenue teams, even “small” unauthorized changes to the shopping journey can create measurable harm: reduced conversions, increased cart abandonment, customer support spikes, and potential compliance concerns if site behavior changes in ways that affect notices or required disclosures.

Remediation: Update StoreCustomizer to version 2.6.5 or newer patched version. Reference: Wordfence vulnerability report. CVE record: CVE-2026-27046.

Similar Attacks

Authorization flaws are a recurring theme in WordPress security because they can allow actions that were intended only for administrators or store managers. A well-known example is the WordPress REST API content injection vulnerability (CVE-2017-5487), which demonstrated how authorization gaps can enable unauthorized changes with serious brand and trust implications.