The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public AJAX action, allowing unauthenticated users to retrieve the data (title, price, weight, stock status, and configurator option pricing/SKUs) of private and draft, non-public products by supplying the product ID. WordPress post-visibility controls are bypassed.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Product Configurator for WooCommerce plugin before version 1.7.3 contains a critical authorization bypass vulnerability in its AJAX endpoints. The plugin fails to validate user permissions or check post status before exposing sensitive product data—including pricing, SKU information, weight, and stock status—through publicly accessible functions. Attackers can enumerate private and draft products by simply supplying product IDs, completely circumventing WordPress's native post-visibility controls. This affects any e-commerce site using the vulnerable plugin, exposing confidential product information, pricing strategies, and unreleased inventory to unauthenticated users.
While CVE-2026-11568 maps to zero MITRE ATT&CK techniques in the current framework, Casky's extended reasoning capabilities would detect the attack chain underlying this vulnerability through several critical patterns: Improper Input Validation (T1190 precursor), Unauthorized Information Disclosure (related to T1526 - Enumerate Cloud Resources applied to plugin APIs), and Privilege Escalation via Broken Access Control. A practitioner using Casky would observe findings highlighting unauthenticated AJAX function calls lacking capability checks, direct database queries returning restricted post types, and absence of nonce verification. The platform's 754 security skills would flag insecure direct object references (IDOR) patterns, missing authorization middleware, and overly permissive AJAX handlers—enabling practitioners to identify similar authorization bypasses across their WordPress ecosystem before exploitation occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-11568. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation