What is CVE-2026-42668?

CVE-2026-42668 is a high-severity vulnerability in the Omnisend for WooCommerce plugin, allowing unauthenticated attackers to take over an Omnisend account by predicting a connect token. This vulnerability affects versions up to and including 1.18.0.

How does the vulnerability work?

The vulnerability arises from the generate_install_url() function, which generates a connect token using the current Unix timestamp. This predictable token can be brute-forced by attackers, allowing them to authenticate to the REST API and replace sensitive store credentials.

Who is affected by this vulnerability?

Any WordPress site using the Omnisend for WooCommerce plugin version 1.18.0 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard to determine if they are affected.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log into your WordPress admin panel, navigate to the Plugins section, and look for the Omnisend for WooCommerce plugin. If the version is 1.18.0 or earlier, your site is vulnerable.

What should I do to fix this vulnerability?

To mitigate this vulnerability, update the Omnisend for WooCommerce plugin to version 1.18.1 or later, where the token generation method has been changed to use a cryptographically secure random value.

What is the risk level of this vulnerability?

The vulnerability has a CVSS score of 7.5, indicating high severity. An attacker can exploit this vulnerability without authentication, posing a significant risk to customer data and store operations.

What happens if an attacker exploits this vulnerability?

If exploited, an attacker can replace the store’s Omnisend API key and brand ID, redirecting customer data and marketing communications to their own Omnisend account, leading to data breaches and loss of control over marketing.

How does the proof of concept demonstrate the issue?

The proof of concept shows that an attacker can determine the server’s approximate time and brute-force the connect token by sending requests to the REST API with guessed tokens. A successful guess allows unauthorized access to modify store settings.

What changes were made in the patched version?

In version 1.18.1, the token generation was changed from a predictable timestamp-based method to a secure random generation using bin2hex(random_bytes(32)). This significantly increases the token space, making brute-force attacks infeasible.

What additional security measures were implemented in the patch?

The patch also refactors error handling to prevent information leakage about token validation failures. All invalid token responses now return a uniform 403 status, enhancing security by not revealing which validation step failed.

Can I still use the plugin after updating?

Yes, after updating to version 1.18.1 or later, the vulnerability is mitigated. It is advisable to regularly check for updates and apply them promptly to maintain security.

Where can I find more information about this vulnerability?

More information about CVE-2026-42668 can be found on the National Vulnerability Database or security advisories from the plugin developers. Additionally, security blogs often provide insights into vulnerabilities and their mitigations.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 14, 2026

CVE-2026-42668: Omnisend for WooCommerce <= 1.18.0 – Unauthenticated Omnisend Account Takeover via Predictable Connect Token (omnisend-connect)

CVE ID CVE-2026-42668

Plugin omnisend-connect

Severity High (CVSS 7.5)

CWE 330

Vulnerable Version 1.18.0

Patched Version 1.18.1

Disclosed May 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-42668:

This vulnerability allows an unauthenticated attacker to take over the Omnisend integration for any WooCommerce store running plugin version 1.18.0 or earlier. The flaw resides in the OAuth connect token generation mechanism, which uses a predictable value derived solely from the current Unix timestamp. This enables a brute-force attack against the connect REST API endpoint, ultimately letting the attacker replace the store’s Omnisend API key and brand ID with their own values.

The root cause is in the `generate_install_url()` function within `omnisend-connect/includes/class-omnisend-install.php` (line 234 in the vulnerable version). The token was generated as `hash(‘sha256’, time())`, producing a 64-character hex string based only on the current Unix timestamp. Since `time()` returns an integer with one-second granularity, there are at most 86,400 possible values per day. The token is stored in the `omnisend_connect_token` WordPress option and used to authorize the `/wp-json/omnisend-api/v1/connect` REST API endpoint. The `omnisend_rest_api_authorization()` function in `omnisend-api.php` compares the provided token with the stored value using `!==`, which is timing-safe enough but does not mitigate the fundamental weakness of the token space.

An attacker can exploit this by first determining the approximate server time (via HTTP headers, timestamps in responses, or other means). They then brute-force the 86,400 possible SHA-256 hashes of Unix timestamps around that time window. The attack sends POST requests to `/wp-json/omnisend-api/v1/connect` with a JSON body containing `connect_token` (the guessed hash) and `api_key` and `brand_id` parameters controlled by the attacker. A successful guess (HTTP 200 instead of 401/403) means the attacker can replace the store’s Omnisend credentials. The attack is entirely unauthenticated and requires only network access to the target WordPress site.

The patch in version 1.18.1 changes the token generation in `class-omnisend-install.php` (line 234) from `hash(‘sha256’, time())` to `bin2hex(random_bytes(32))`. This produces a 64-character hex string from a cryptographically secure random source, yielding 2^256 possible values. The token is now unpredictable and cannot be brute-forced. Additionally, the patch refactors the error handling in `omnisend-api.php` to use a unified `omnisend_connect_token_invalid_error()` function, which returns a 403 status for all token validation failures (missing token, empty stored token, or token mismatch). This prevents information leakage about which specific validation step failed. The comparison also switched to `hash_equals()` for timing-safe comparison, though the real security gain is from the random token generation.

The impact is critical: an attacker who successfully guesses the connect token can replace the store’s Omnisend API key and brand ID. This redirects all customer data synchronization (names, emails, orders), order webhook notifications, and marketing email/SMS communications to the attacker’s Omnisend account. The store loses control over its marketing automation, and customer PII is exposed to the attacker. Since the attack requires no authentication and can be automated, any site running the vulnerable plugin is at risk until patched.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/omnisend-connect/includes/class-omnisend-install.php
+++ b/omnisend-connect/includes/class-omnisend-install.php
@@ -231,7 +231,7 @@
 		$token = get_option( 'omnisend_connect_token', '' );

 		if ( $token === '' ) {
-			$token = hash( 'sha256', time() );
+			$token = bin2hex( random_bytes( 32 ) );
 			update_option( 'omnisend_connect_token', $token );
 		}

--- a/omnisend-connect/includes/omnisend-api.php
+++ b/omnisend-connect/includes/omnisend-api.php
@@ -147,34 +147,30 @@
 	$body = json_decode( $request->get_body(), true );

 	if ( ! isset( $body['connect_token'] ) ) {
-		return new WP_Error(
-			'omnisend_missing_connect_token',
-			'Missing connect token in request.',
-			array( 'status' => 400 )
-		);
+		return omnisend_connect_token_invalid_error();
 	}

 	$token = get_option( 'omnisend_connect_token', '' );

 	if ( $token === '' ) {
-		return new WP_Error(
-			'omnisend_connect_denied',
-			'Connect token is already used.',
-			array( 'status' => 403 )
-		);
+		return omnisend_connect_token_invalid_error();
 	}

-	if ( $token !== $request['connect_token'] ) {
-		return new WP_Error(
-			'omnisend_incorrect_connect_token',
-			'Connect token is incorrect.',
-			array( 'status' => 401 )
-		);
+	if ( ! hash_equals( $token, (string) $request['connect_token'] ) ) {
+		return omnisend_connect_token_invalid_error();
 	}

 	return true;
 }

+function omnisend_connect_token_invalid_error() {
+	return new WP_Error(
+		'omnisend_invalid_connect_token',
+		'Connect token is invalid.',
+		array( 'status' => 403 )
+	);
+}
+
 function omnisend_rest_api_authorization( WP_REST_Request $request ) {
 	do_action( 'litespeed_control_set_nocache' );
 	$request_api_key = $request->get_header( 'x-api-key' );
--- a/omnisend-connect/omnisend-woocommerce.php
+++ b/omnisend-connect/omnisend-woocommerce.php
@@ -3,7 +3,7 @@
  * Plugin Name: Omnisend for WooCommerce
  * Plugin URI: https://www.omnisend.com
  * Description: 150,000+ ecommerce stores use Omnisend to sell more stuff to more people. Send newsletters & SMS and build email lists with popups.
- * Version: 1.18.0
+ * Version: 1.18.1
  * Author: Omnisend
  * Author URI: https://www.omnisend.com
  * Developer: Omnisend

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@beginsWith /wp-json/omnisend-api/v1/connect" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-42668 - Omnisend Account Takeover via Predictable Connect Token',severity:'CRITICAL',tag:'CVE-2026-42668',t:none"
SecRule REQUEST_METHOD "@streq POST" "chain,t:none"
SecRule REQUEST_BODY "@rx connect_token" "t:none"

Frequently Asked Questions

What is CVE-2026-42668?
Overview of the vulnerability
CVE-2026-42668 is a high-severity vulnerability in the Omnisend for WooCommerce plugin, allowing unauthenticated attackers to take over an Omnisend account by predicting a connect token. This vulnerability affects versions up to and including 1.18.0.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the generate_install_url() function, which generates a connect token using the current Unix timestamp. This predictable token can be brute-forced by attackers, allowing them to authenticate to the REST API and replace sensitive store credentials.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Omnisend for WooCommerce plugin version 1.18.0 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard to determine if they are affected.
How can I check if my site is vulnerable?
Steps to verify plugin version
To check if your site is vulnerable, log into your WordPress admin panel, navigate to the Plugins section, and look for the Omnisend for WooCommerce plugin. If the version is 1.18.0 or earlier, your site is vulnerable.
What should I do to fix this vulnerability?
Updating the plugin
To mitigate this vulnerability, update the Omnisend for WooCommerce plugin to version 1.18.1 or later, where the token generation method has been changed to use a cryptographically secure random value.
What is the risk level of this vulnerability?
Understanding the severity
The vulnerability has a CVSS score of 7.5, indicating high severity. An attacker can exploit this vulnerability without authentication, posing a significant risk to customer data and store operations.
What happens if an attacker exploits this vulnerability?
Potential consequences
If exploited, an attacker can replace the store’s Omnisend API key and brand ID, redirecting customer data and marketing communications to their own Omnisend account, leading to data breaches and loss of control over marketing.
How does the proof of concept demonstrate the issue?
Exploit methodology
The proof of concept shows that an attacker can determine the server’s approximate time and brute-force the connect token by sending requests to the REST API with guessed tokens. A successful guess allows unauthorized access to modify store settings.
What changes were made in the patched version?
Improvements in version 1.18.1
In version 1.18.1, the token generation was changed from a predictable timestamp-based method to a secure random generation using bin2hex(random_bytes(32)). This significantly increases the token space, making brute-force attacks infeasible.
What additional security measures were implemented in the patch?
Enhancements to error handling
The patch also refactors error handling to prevent information leakage about token validation failures. All invalid token responses now return a uniform 403 status, enhancing security by not revealing which validation step failed.
Can I still use the plugin after updating?
Post-update considerations
Yes, after updating to version 1.18.1 or later, the vulnerability is mitigated. It is advisable to regularly check for updates and apply them promptly to maintain security.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-42668 can be found on the National Vulnerability Database or security advisories from the plugin developers. Additionally, security blogs often provide insights into vulnerabilities and their mitigations.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations