What happened
Motive Commerce Search (AI Product Search for WooCommerce), a plugin that provides AI-powered semantic product search for WooCommerce stores, contains an unauthenticated broken access control vulnerability in versions up to and including 1.38.2. Published June 15, 2026 (CVSS 8.2 HIGH). Remote unauthenticated attackers can access restricted plugin functionality.
Why it matters
AI-powered search plugins for e-commerce often handle sensitive search index data, product catalogues, and may store API keys for external AI search services. An unauthenticated access control bypass can expose search configuration, customer query history, or allow manipulation of the AI search index to serve fraudulent or malicious product results to shoppers.
Attack vector
An unauthenticated remote attacker exploits missing or improperly implemented access control checks in the plugin's endpoints to invoke restricted administrative or configuration functions of the AI search engine without any credentials.
Affected systems
AI Product Search for WooCommerce – Motive Commerce Search ≤ 1.38.2
Mitigation
Update Motive Commerce Search to version 1.38.3 or later. Advisory: https://patchstack.com/database/wordpress/plugin/motive-commerce-search/vulnerability/wordpress-ai-product-search-for-woocommerce-motive-commerce-search-plugin-1-38-2-broken-access-control-vulnerability