CVE-2026-2892
Published: 30 April 2026
Summary
CVE-2026-2892 is a high-severity Improper Authorization (CWE-285) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-2892 is a purchase verification bypass vulnerability affecting the Otter Blocks plugin for WordPress in all versions up to and including 3.1.4. The issue stems from the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users, while the 'check_purchase' method trusts this cookie data without server-side verification against the Stripe API for one-time 'payment' mode purchases. This flaw, associated with CWE-285 (Improper Authorization), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-04-30.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By forging the 'o_stripe_data' cookie with a target product ID—publicly exposed in the checkout block's HTML source—they can bypass Stripe purchase-gated content visibility conditions, gaining unauthorized access to paid content without completing a legitimate purchase.
Advisories and references, including Wordfence threat intelligence and WordPress plugin trac details, highlight mitigation through a code patch in changeset 3471326. Relevant code locations in class-block-conditions.php (line 274) and class-stripe-api.php (lines 260 and 284) indicate where server-side verification was likely strengthened to prevent cookie forgery. Security practitioners should update to a patched version of the Otter Blocks plugin beyond 3.1.4.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26373
Vulnerability details
The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated…
more
users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of this public-facing WordPress plugin authorization bypass (CWE-285) to access gated content without authentication matches T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces server-side access control policies and authorizations, preventing trust in forged client-side cookies like 'o_stripe_data' for determining product ownership.
Requires validation of untrusted inputs such as the unsigned 'o_stripe_data' cookie against server-side Stripe API verification before granting access to purchase-gated content.
Explicitly defines and restricts actions permitted without identification or authentication, blocking unauthenticated access to paid content via cookie forgery.