Cyber Resilience

CVE-2026-2892

High

Published: 30 April 2026

Published
30 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0008 23.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2892 is a high-severity Improper Authorization (CWE-285) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-2892 is a purchase verification bypass vulnerability affecting the Otter Blocks plugin for WordPress in all versions up to and including 3.1.4. The issue stems from the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users, while the 'check_purchase' method trusts this cookie data without server-side verification against the Stripe API for one-time 'payment' mode purchases. This flaw, associated with CWE-285 (Improper Authorization), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-04-30.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By forging the 'o_stripe_data' cookie with a target product ID—publicly exposed in the checkout block's HTML source—they can bypass Stripe purchase-gated content visibility conditions, gaining unauthorized access to paid content without completing a legitimate purchase.

Advisories and references, including Wordfence threat intelligence and WordPress plugin trac details, highlight mitigation through a code patch in changeset 3471326. Relevant code locations in class-block-conditions.php (line 274) and class-stripe-api.php (lines 260 and 284) indicate where server-side verification was likely strengthened to prevent cookie forgery. Security practitioners should update to a patched version of the Otter Blocks plugin beyond 3.1.4.

EU & UK References

Vulnerability details

The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated…

more

users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct exploitation of this public-facing WordPress plugin authorization bypass (CWE-285) to access gated content without authentication matches T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25809Shared CWE-285
CVE-2026-32252Shared CWE-285
CVE-2026-30702Shared CWE-285
CVE-2026-40246Shared CWE-285
CVE-2023-53895Shared CWE-285
CVE-2026-28448Shared CWE-285
CVE-2025-25196Shared CWE-285
CVE-2026-22022Shared CWE-285
CVE-2025-49701Shared CWE-285
CVE-2026-34320Shared CWE-285

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces server-side access control policies and authorizations, preventing trust in forged client-side cookies like 'o_stripe_data' for determining product ownership.

prevent

Requires validation of untrusted inputs such as the unsigned 'o_stripe_data' cookie against server-side Stripe API verification before granting access to purchase-gated content.

prevent

Explicitly defines and restricts actions permitted without identification or authentication, blocking unauthenticated access to paid content via cookie forgery.

References