CVE-2026-40737 PUBLISHED

WordPress COMPE plugin <= 1.1.4 - Insecure Direct Object References (IDOR) vulnerability

Assigner: Patchstack
Reserved: 15.04.2026 Published: 15.04.2026 Updated: 15.04.2026

Authorization Bypass Through User-Controlled Key vulnerability in VillaTheme COMPE compe-woo-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects COMPE: from n/a through <= 1.1.4.

Product Status

Vendor	VillaTheme
Product	COMPE
Versions	Default: unaffected affected from 0 to 1.1.4 (incl.)

Credits

Ali Osman ERBAS (0110m4n) | Patchstack Bug Bounty Program finder

References

https://patchstack.com/database/Wordpress/Plugin/compe-woo-compare-products/vulnerability/wordpress-compe-plugin-1-1-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve

Problem Types

Authorization Bypass Through User-Controlled Key CWE

Impacts

Exploiting Incorrectly Configured Access Control Security Levels