CVE-2026-2892

HIGH 7.5

Otter Blocks <= 3.1.4 - Improper Authorization to Unauthenticated Purchase Verification Bypass via Forged Cookie

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.

CWE	CWE-285
Vendor	themeisle
Product	otter blocks – gutenberg blocks, page builder for gutenberg editor & fse
Published	Apr 30, 2026

Stay Ahead of the Next One

Get instant alerts for themeisle otter blocks – gutenberg blocks, page builder for gutenberg editor & fse

Be the first to know when new high vulnerabilities affecting themeisle otter blocks – gutenberg blocks, page builder for gutenberg editor & fse are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

themeisle / Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

0 ≤ 3.1.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Drew Webber