Commit 433664d3ee4 for woocommerce

commit 433664d3ee44438d2de68fd72e33bbed2e5c2ce9
Author: Seghir Nadir <nadir.seghir@gmail.com>
Date:   Wed Jun 3 13:34:13 2026 +0200

    Check parent product visibility in get_variation AJAX endpoint (#65209)

    The get_variation AJAX endpoint loaded the parent variable product
    without verifying its status, exposing variation data (price, SKU,
    dimensions, description, etc.) for drafts and other non-public
    products to unauthenticated callers. Gate the response on
    ProductStatus::PUBLISH or current_user_can('edit_post', $id) to
    match the visibility/purchasability pattern used elsewhere in the
    codebase.

diff --git a/plugins/woocommerce/changelog/fix-get-variation-parent-visibility b/plugins/woocommerce/changelog/fix-get-variation-parent-visibility
new file mode 100644
index 00000000000..85c25e4b060
--- /dev/null
+++ b/plugins/woocommerce/changelog/fix-get-variation-parent-visibility
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fix
+
+Check parent product visibility in get_variation AJAX endpoint before returning variation data
diff --git a/plugins/woocommerce/includes/class-wc-ajax.php b/plugins/woocommerce/includes/class-wc-ajax.php
index 7c01900c137..5ca71e3c2d2 100644
--- a/plugins/woocommerce/includes/class-wc-ajax.php
+++ b/plugins/woocommerce/includes/class-wc-ajax.php
@@ -618,6 +618,10 @@ class WC_AJAX {
 			wp_die();
 		}

+		if ( ProductStatus::PUBLISH !== $variable_product->get_status() && ! current_user_can( 'edit_post', $variable_product->get_id() ) ) {
+			wp_die();
+		}
+
 		$data_store   = WC_Data_Store::load( 'product' );
 		$variation_id = $data_store->find_matching_product_variation( $variable_product, wp_unslash( $_POST ) );
 		$variation    = $variation_id ? $variable_product->get_available_variation( $variation_id ) : false;