Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in Patterns in the cloud Autoship Cloud for WooCommerce Subscription Products allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Autoship Cloud for WooCommerce Subscription Products: from n/a through 2.14.0.
AnalysisAI
Missing Authorization in Autoship Cloud for WooCommerce Subscription Products (versions through 2.14.0) allows authenticated low-privileged users to perform actions beyond their intended permission scope, resulting in unauthorized data modification. Reported by Patchstack, this CWE-862 flaw means the plugin fails to verify whether an authenticated user holds the correct capability before executing sensitive operations within the WooCommerce subscription management interface. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the EPSS score of 0.03% (8th percentile) signals negligible automated exploitation activity at this time.
Technical ContextAI
The affected component is a WordPress plugin - Autoship Cloud for WooCommerce Subscription Products by Patterns in the Cloud - identified by CPE cpe:2.3:a:patterns_in_the_cloud:autoship_cloud_for_woocommerce_subscription_products:*:*:*:*:*:*:*:*. The root cause is CWE-862 (Missing Authorization), a class of flaw where code executes privileged operations without first confirming the requesting user holds the necessary WordPress capability or role. In the WordPress/WooCommerce ecosystem, this typically manifests as AJAX handlers, REST API endpoints, or admin-action hooks that lack a current_user_can() or nonce-plus-capability check, allowing any logged-in user - including subscribers or customers - to invoke functionality intended only for shop managers or administrators. The CVSS vector AV:N/AC:L/PR:L/UI:N confirms the attack is fully network-exploitable with no interaction required beyond holding a basic authenticated session.
RemediationAI
The primary remediation is to update the Autoship Cloud for WooCommerce Subscription Products plugin to a version beyond 2.14.0. Note that no exact patched release version is confirmed from the available input data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/autoship-cloud/vulnerability/wordpress-autoship-cloud-for-woocommerce-subscription-products-plugin-2-14-0-broken-access-control-vulnerability should be consulted for the specific fixed version before upgrading. As a compensating control pending patching, site administrators can restrict WordPress user registration or limit the creation of low-privilege accounts (subscriber/customer roles) to reduce the pool of potential authenticated attackers; note this may impact legitimate WooCommerce storefront functionality. Additionally, a Web Application Firewall rule scoped to the plugin's specific AJAX or REST endpoints can add a detection layer, though the exact vulnerable endpoint is not disclosed in available data.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31758
GHSA-249v-wcw9-x5fj