CVE-2026-2892

Name of the Vulnerable Software and Affected Versions Otter Blocks versions prior to 3.1.5

Description The plugin is subject to a purchase verification bypass. The get customer data() method relies on an unsigned o stripe data cookie to determine product ownership for unauthenticated users. Furthermore, the check purchase() method trusts this cookie data without performing server-side verification against the Stripe API for one-time payment mode purchases. This allows unauthenticated attackers to bypass content visibility restrictions by forging the o stripe data cookie using a target product ID, which is publicly available in the HTML source of the checkout block.

Recommendations Update to a version later than 3.1.4.